Discookie

**Name of the Vulnerable Software and Affected Versions** CodeChecker versions through 6.24.5 **Description** The CodeChecker web server contains an open redirect issue due to insufficient protection against multiple slashes in the URL after the product name. This allows bypassing existing protections, resulting in an open redirect pathway. **Recommendations** For versions through 6.24.5, update to a version that addresses this issue to prevent open redirect vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** CodeChecker versions through 6.24.4 **Description** Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged-in user and use the web API with the same permissions, including adding, removing, or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data from CodeChecker due to being limited to form-based CSRF. Security attributes like `HttpOnly` and `SameSite` are missing from the session cookie, allowing its use from XHR requests and form submissions. The CodeChecker API endpoints only require the session cookie and do not require a CSRF token. **Recommendations** For CodeChecker versions through 6.24.4, consider implementing security attributes like `HttpOnly` and `SameSite` for the session cookie to prevent its use from XHR requests and form submissions. Additionally, implementing a CSRF token for API endpoints can help prevent cross-site request forgery attacks. As a temporary workaround, restrict access to the CodeChecker API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeChecker versions through 6.24.1 **Description** Authentication bypass occurs when the API URL ends with `Authentication`, allowing superuser access to all API endpoints other than `/Authentication`. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the `/Authentication` endpoint, are affected by the issue. This bypass enables unauthenticated users to access all API functionality, including querying, adding, changing, and deleting products contained on the CodeChecker server without authentication. **Recommendations** For CodeChecker versions through 6.24.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to all API endpoints except `/Authentication` to minimize the risk of exploitation. Additionally, review logs for signs of exploit by looking for the pattern where the URL starts with 'v' and contains a valid CodeChecker endpoint, but ends in `Authentication`, `Configuration`, or `ServerInfo` and was made by an `Anonymous` user. Isolate vulnerable systems until patched.

**Name of the Vulnerable Software and Affected Versions** CodeChecker versions through 6.24.1 **Description** The issue is related to authentication method confusion, allowing an attacker to log in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access. This allows an attacker who can create an account on an enabled external authentication service to log in as the root user and access and control everything via the web interface. The attacker needs to acquire the username of the root user to be successful. The username of the root user can be found in the `root.user` file in the CodeChecker configuration directory. **Recommendations** For CodeChecker versions through 6.24.1, update to a version later than 6.24.1 to resolve the issue. As a temporary workaround, consider restricting access to the external authentication services or monitoring the CodeChecker instance for signs of compromise. Additionally, review the logs for signs of unauthorized access and consider disabling the external authentication services until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CodeChecker versions prior to 6.23 **Description** The issue arises from the improper sanitization of ZIP files uploaded to the server endpoint of `CodeChecker store`. An attacker can exploit this vulnerability using a path traversal attack to load and display files on the machine of the `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. This allows for the exfiltration of data from the server-side storage medium with the same permission level as the `CodeChecker server` process. The attack requires a valid user account on the `CodeChecker server` with permission to store to a database and view the stored reports if authentication is enabled. **Recommendations** To resolve the issue, update CodeChecker to version 6.23 or later. As a temporary workaround, consider restricting access to the vulnerable endpoint `/Default/v6.53/CodeCheckerService@massStoreRun` until a patch is applied. Additionally, limiting the permissions of the `CodeChecker server` process can help minimize the risk of exploitation.