Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35154: Account validation bypass

Knowage is an open source analytics and business intelligence suite. Starting in version 6.0.0 and prior to version 8.1.8, an attacker can register and activate their account without having to click on the link included in the email, allowing them access to the application as a normal user. This issue has been patched in version 8.1.8.

CVE
Open in Source
#java#intel#auth

When a user register his account via the endpoint: /knowage/restful-services/signup/create, the account is blocked by setting
the flgPwdBlocked to true.

// knowage-core/src/main/java/it/eng/spagobi/signup/service/rest/Signup.java

SbiUser user = new SbiUser(); user.setUserId(username); user.setPassword(Password.encriptPassword(password)); user.setFullName(name + " " + surname); user.getCommonInfo().setOrganization(defaultTenant); user.getCommonInfo().setUserIn(username); user.setFlgPwdBlocked(true); // […] int id = userDao.fullSaveOrUpdateSbiUser(user);

However, the endpoint /knowage/restful-services/credential/ which is exposed to anonymous users reset this flag, either if the
account has been activated or not.

// knowage-core/src/main/java/it/eng/spagobi/api/CredentialResource.java

@PublicService public Response change(final ChangePasswordData data) { // […] final String userId = data.getUserId(); final String oldPassword = data.getOldPassword(); final String newPassword = data.getNewPassword(); final String newPasswordConfirm = data.getNewPasswordConfirm(); if (StringUtils.isEmpty(userId)) { // […] } else { ISbiUserDAO userDao = DAOFactory.getSbiUserDAO(); SbiUser tmpUser = userDao.loadSbiUserByUserId(userId); try { if (PasswordChecker.getInstance().isValid(tmpUser, oldPassword, newPassword, newPasswordConfirm)) { // […] tmpUser.setFlgPwdBlocked(false); userDao.updateSbiUser(tmpUser, tmpUser.getId()); // […]

Allowing an attacker to register and activate his account without having to click on the link included in the email, which is
useful in the context where the email service is not configured.
It’s also important to note that the registration page does not seem to be displayed when a user accesses the application
without prior authentication.

Impact

An attacker can register and activate his account without having to click on the link included in the email, allowing him to gain access to the application as a normal user.

Patches

You need to upgrade to Knowage 8.1.8 or a later version.

Workarounds

No workaround is available

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE