Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2OTUtdjhjOC0zcmg2

Privilege escalation in rbac

Impact

Using a carefully crafted request or malicious proxy, a user with UserWrite permissions could create another user with higher privileges than their own due to insufficient checks on the allowed set of permissions. The event would be captured in the Event Log.

Patches

The issue has been fixed in 0.24.0 and 0.23.1.

Workarounds

For users who are unable to upgrade, we recommend auditing users who have UserWrite permissions and regularly reviewing the Event Log for malicious activity.

Kudos

Thank you to Michael Mazzolini (Ethical Hacker at WHO) for finding and disclosing this vulnerability.

Permalink: https://github.com/advisories/GHSA-5v95-v8c8-3rh6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2OTUtdjhjOC0zcmg2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-5v95-v8c8-3rh6, CVE-2021-22538
References:

• https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6
• https://nvd.nist.gov/vuln/detail/CVE-2021-22538
• https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95
• https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1
• https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0
• https://github.com/advisories/GHSA-5v95-v8c8-3rh6

Repository: https://github.com/google/exposure-notifications-verification-server
Blast Radius: 0.0

Affected Packages