Описание
Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server
Impact
Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.
Patches
v1.1.2+
Workarounds
There are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).
For more information
Ссылки
- https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v
- https://nvd.nist.gov/vuln/detail/CVE-2021-22565
- https://github.com/google/exposure-notifications-verification-server
- https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
Пакеты
github.com/google/exposure-notifications-verification-server
< 1.1.2
1.1.2
Связанные уязвимости
An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.