CVE-2022-37109

Name of the Vulnerable Software and Affected Versions patrickfuller camp versions up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767

Description The issue concerns Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler. The Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.

Recommendations For versions up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767, consider restricting access to the password.txt file to minimize the risk of exploitation. As a temporary workaround, consider disabling the StaticFileHandler for the root directory until a proper fix is applied. Additionally, avoid using the password hash as the cookie secret to prevent unauthorized authentication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.