GHSA-vf78-3q9f-92g3: Hard-coded System User Credentials in Folio Data Export Spring module

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-vf78-3q9f-92g3

Hard-coded System User Credentials in Folio Data Export Spring module

Package

maven org.folio:mod-data-export-spring (Maven)

Affected versions

>= 2.0.0, < 2.0.2

< 1.5.4

Patched versions

2.0.2

1.5.4

Description

Impact

The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron’s account.

Patches

Upgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.

Workarounds

No known workarounds.

References

https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions
folio-org/mod-data-export-spring@93aff45 - Fix

References

• GHSA-vf78-3q9f-92g3
• folio-org/mod-data-export-spring@93aff45
• https://wiki.folio.org/x/hbMMBw

Published to the GitHub Advisory Database

Jul 25, 2023