Joshua Bowser

Name of the Vulnerable Software and Affected Versions: antsle antman versions prior to 0.9.1a Description: The issue allows remote attackers to bypass authentication by providing invalid characters in the `username` and `password` parameters. This can be achieved by sending a string, such as `username=>&password=%0a`, to the "/login" API endpoint. As a result, an attacker can obtain root permissions within the web management console. The root cause of this issue is the insufficient input validation in the `antsle-auth` bash script, which is used by the login process through Java's `ProcessBuilder` class. Recommendations: For versions prior to 0.9.1a, update to version 0.9.1a or later to resolve the issue. As a temporary workaround, consider restricting access to the "/login" API endpoint to minimize the risk of exploitation. Additionally, avoid using special characters in the `username` and `password` parameters until the issue is resolved.