Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Y3A0LTYydmotY3Ezcs4AA74o
@valtimo/components exposes access token to form.io
Impact
When opening a form in Valtimo, the access token (JWT) of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user.
This issue is caused by a misconfiguration of the Form.io component.
Attack requirements
The following conditions have to be met in order to perform this attack:
- An attacker needs to have access to the network traffic on the
api.form.iodomain. - The content of the
x-jwt-tokenheader is logged or otherwise available to the attacker. - An attacker needs to have network access to the Valtimo API.
- An attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.
Patches
Versions 10.8.4, 11.1.6 and 11.2.2 have been patched
Permalink: https://github.com/advisories/GHSA-xcp4-62vj-cq3rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Y3A0LTYydmotY3Ezcs4AA74o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-xcp4-62vj-cq3r, CVE-2024-34706
References:
- https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r
- https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/1aaba5ef5750dafebbc7476fb08bf2375a25f19e
- https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/8c2dbf2a41180d2b0358d878290e4d37168f0fb6
- https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/d65e05fd2784bd4a628778b34a5b79ce2f0cef8c
- https://nvd.nist.gov/vuln/detail/CVE-2024-34706
- https://github.com/advisories/GHSA-xcp4-62vj-cq3r
Blast Radius: 4.7
Affected Packages
npm:@valtimo/components
Dependent packages: 1Dependent repositories: 3
Downloads: 370 last month
Affected Version Ranges: >= 11.2.0, < 11.2.2, >= 11.0.0, < 11.1.6, < 10.8.4
Fixed in: 11.2.2, 11.1.6, 10.8.4
All affected versions: 4.15.2, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.13.0, 5.14.0, 5.15.0, 5.15.1, 5.15.2, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.4.0, 10.5.0, 10.5.1, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 11.0.0, 11.1.0, 11.1.2, 11.1.4, 11.1.5, 11.2.0, 11.2.1
All unaffected versions: 10.8.4, 11.1.6, 11.2.2, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.2.1, 12.3.0, 12.3.1, 12.4.0, 12.4.1, 12.5.0