PT-2023-18546 · Izanami · Izanami

Raphaël Lob

Publicado

2023-01-14

Atualizado

2023-01-24

CVE-2023-22495

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Izanami versions prior to 1.11.0

Description The issue allows attackers to bypass authentication in the application when deployed using the official Docker image. This is due to a hard-coded secret used to sign the authentication token (JWT), which could enable an attacker to compromise another instance of the application.

Recommendations For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the JWT authentication mechanism until the update is applied.

Exploit

Correção

Using Hardcoded Credentials

Authentication Bypass Using an Alternate Path or Channel

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-798CWE-288

Identificadores relacionados

CVE-2023-22495

GHSA-9R7J-M337-792C

Produtos afetados

Izanami

PT-2023-18546 · Izanami · Izanami

CVE-2023-22495

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5