Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vf78-3q9f-92g3: Hard-coded System User Credentials in Folio Data Export Spring module

Impact

The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron’s account.

Patches

Upgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.

Workarounds

No known workarounds.

References

https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446 - Fix

ghsa
#vulnerability#git#java#auth#maven

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-vf78-3q9f-92g3

Hard-coded System User Credentials in Folio Data Export Spring module

Package

maven org.folio:mod-data-export-spring (Maven)

Affected versions

>= 2.0.0, < 2.0.2

< 1.5.4

Patched versions

2.0.2

1.5.4

Description

Impact

The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron’s account.

Patches

Upgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.

Workarounds

No known workarounds.

References

https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions
folio-org/mod-data-export-spring@93aff45 - Fix

References

  • GHSA-vf78-3q9f-92g3
  • folio-org/mod-data-export-spring@93aff45
  • https://wiki.folio.org/x/hbMMBw

Published to the GitHub Advisory Database

Jul 25, 2023

ghsa: Latest News

GHSA-pj33-75x5-32j4: RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission