CVE-2021-22538

Name of the Vulnerable Software and Affected Versions Google Exposure Notification Verification Server versions prior to 0.23.1

Description A privilege escalation issue allows an attacker with UserWrite permissions, using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Recommendations For versions prior to 0.23.1, update to version 0.23.1 or 0.24.0 to resolve the issue. As a temporary workaround for users who are unable to upgrade, audit users who have UserWrite permissions and regularly review the Event Log for malicious activity.