Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Zjc4LTNxOWYtOTJnM84AA04H
Hard-coded System User Credentials in Folio Data Export Spring module
Impact
The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron's account.
Patches
Upgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.
Workarounds
No known workarounds.
References
https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions
https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446 - Fix
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Zjc4LTNxOWYtOTJnM84AA04H
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-vf78-3q9f-92g3
References:
- https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3
- https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446
- https://wiki.folio.org/x/hbMMBw
- https://github.com/advisories/GHSA-vf78-3q9f-92g3
Blast Radius: 1.0
Affected Packages
maven:org.folio:mod-data-export-spring
Affected Version Ranges: < 1.5.4, >= 2.0.0, < 2.0.2Fixed in: 1.5.4, 2.0.2