CVE-2021-27228

Name of the Vulnerable Software and Affected Versions: Shinobi through ocean version 1

Description: An issue was discovered in the lib/auth.js file, where Incorrect Access Control allows attackers to bypass API key validation. By utilizing JavaScript Proto Method names, such as constructor or hasOwnProperty, an attacker can trick the system into believing a supplied API key is valid, thus gaining complete access to User, Admin, and Super API functions. This can be achieved through API endpoints like "/super/constructor/accounts/list".

Recommendations: For Shinobi through ocean version 1, consider restricting access to the lib/auth.js file and limiting the use of JavaScript Proto Method names to prevent exploitation until a proper fix is implemented. As a temporary workaround, restrict access to sensitive API endpoints, such as "/super/constructor/accounts/list", to minimize the risk of unauthorized access.