CVE-2024-34706

Name of the Vulnerable Software and Affected Versions Valtimo versions prior to 10.8.4 Valtimo versions prior to 11.1.6 Valtimo versions prior to 11.2.2

Description Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to api.form.io via the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component. To perform this attack, an attacker needs to have access to the network traffic on the api.form.io domain, the content of the x-jwt-token header must be logged or otherwise available to the attacker, the attacker needs to have network access to the Valtimo API, and the attacker needs to act within the time-to-live of the access token, which is 5 minutes by default in Keycloak.

Recommendations For versions prior to 10.8.4, update to version 10.8.4 or later to resolve the issue. For versions prior to 11.1.6, update to version 11.1.6 or later to resolve the issue. For versions prior to 11.2.2, update to version 11.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the api.form.io domain and the Valtimo API to minimize the risk of exploitation. Additionally, ensure that the content of the x-jwt-token header is not logged or otherwise made available to potential attackers.