GHSA-vf78-3q9f-92g3

Опубликовано: 25 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 10

Описание

Hard-coded System User Credentials in Folio Data Export Spring module

Impact

The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron's account.

Patches

Upgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.

Workarounds

No known workarounds.

References

https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446 - Fix

Ссылки

Пакеты

Наименование

org.folio:mod-data-export-spring

maven

Затронутые версииВерсия исправления

>= 2.0.0, < 2.0.2

2.0.2

Наименование

org.folio:mod-data-export-spring

maven

Затронутые версииВерсия исправления

< 1.5.4

1.5.4

EPSS

Процентиль: 68%

0.00577

Низкий

10 Critical

CVSS3

CVE ID

CVE-2024-23687

Дефекты

CWE-798

Связанные уязвимости

CVE-2024-23687

CVSS3: 9.1

nvd

около 2 лет назад

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

EPSS

Процентиль: 68%

0.00577

Низкий

10 Critical

CVSS3

CVE ID

CVE-2024-23687

Дефекты

CWE-798