Headline
CVE-2022-47634: Advisory Report for M-Vault Denial of Service Vulnerability
M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867.
Summary
Incorrect Access Control Vulnerability
Release Date
21st December 2022
Product
M-Link
Version(s)
16.2v1 to 17.0v23
CVE ID
CVE-2022-47634
Summary of vulnerability
This advisory discloses a critical vulnerability introduced in version R16.2v1 of M-Link. The following versions are affected by this vulnerability:
- M-Link R16.2v1 to R17.0v23.
There is a bug where, after successful authentication as a non-administrative user, an attacker with knowledge of the correct HTTP URLs is able to access and manipulate archive data.
Severity
Isode rates the severity level of this vulnerability as medium, according to the CVSS system (details can be found at www.first.org).
Mitigation
This vulnerability has been fixed in M-Link R17.0v24 and affected services are advised to immediately upgrade to this version. Current later versions (such as the subsequent major release R19.2) are not affected by this vulnerability.
Acknowledgements
This vulnerability was discovered, with thanks from Isode, by Jerome Nokin of the NATO Cyber Security Centre (NCSC).