CVE-2023-22495

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Izanami versions prior to 1.11.0

Description The issue allows attackers to bypass authentication in the application when deployed using the official Docker image. This is due to a hard-coded secret used to sign the authentication token (JWT), which could enable an attacker to compromise another instance of the application.

Recommendations For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the JWT authentication mechanism until the update is applied.

Exploit

Fix

Using Hardcoded Credentials

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-288

Related Identifiers

CVE-2023-22495

GHSA-9R7J-M337-792C

Affected Products

Izanami

CVE-2023-22495

Weakness Enumeration

Related Identifiers

Affected Products

References · 5