CVE-2022-44796: Escalation of privileges vulnerability in Object First - Object First

Note: Object First will continue to update this vulnerability as new information becomes available.

Date: 2022-10-24

Status: Final

CVEs: TBA

• Overview
• Affected Versions
• Remediation
• Revision History

****Summary****

The authorization service has a flow which allows getting access to the Web UI without knowing credentials. For signing JWT token is used the secret key that is generated through a function which doesn’t produce crypto strong sequences.

****Impact** **

An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI.

****Vulnerability Scoring****

CVE

CVSS 3.x Score

Vector

TBA

–

–

References

Resource

Hyperlink

NIST NVD

TBA

****Affected Versions:****

Object First 1.0.7.712

Not affected versions:

N/A

****Software Versions and Fixes****

Fixed in Object First version 1.0.13.1611

****Workaround****

Update to Object First version 1.0.13.1611 or higher

****Obtaining Software Fixes** **

Software updates will be available in Object First Update Manager. You can contact Support directly via email at [email protected] or via phone at +1 800 6657145.

****Status of Notice****

Final

Object First will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.

Revision History

Revision #

Date

Comments

1.0

2022-10-24

Initial Public Release and Final Status