CVE-2021-37705

Name of the Vulnerable Software and Affected Versions OneFuzz versions 2.12.0 through 2.30.0

Description The issue is related to an incomplete authorization check in OneFuzz, allowing an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. This can result in read/write access to private data, such as software vulnerability and crash information, security testing tools, and proprietary code and symbols. Additionally, it enables tampering with existing data and unauthorized code execution on Azure compute resources.

Recommendations For OneFuzz versions 2.12.0 through 2.30.0, users can restrict access to the tenant of a deployed OneFuzz instance by redeploying in the default configuration, which omits the --multi tenant domain option. For OneFuzz versions prior to 2.31.0, update to version 2.31.0 or later, which includes the addition of an application-level check of the bearer token's issuer against an administrator-configured allowlist.