GHSA-5v95-v8c8-3rh6

Suggest an improvement
Source
https://github.com/advisories/GHSA-5v95-v8c8-3rh6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-5v95-v8c8-3rh6/GHSA-5v95-v8c8-3rh6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5v95-v8c8-3rh6
Aliases
Published
2021-05-21T14:32:55Z
Modified
2023-11-08T04:05:00.590577Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Privilege escalation in rbac
Details

Impact

Using a carefully crafted request or malicious proxy, a user with UserWrite permissions could create another user with higher privileges than their own due to insufficient checks on the allowed set of permissions. The event would be captured in the Event Log.

Patches

The issue has been fixed in 0.24.0 and 0.23.1.

Workarounds

For users who are unable to upgrade, we recommend auditing users who have UserWrite permissions and regularly reviewing the Event Log for malicious activity.

Kudos

Thank you to Michael Mazzolini (Ethical Hacker at WHO) for finding and disclosing this vulnerability.

References

Affected packages

Go / github.com/google/exposure-notifications-verification-server

Package

Name
github.com/google/exposure-notifications-verification-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/google/exposure-notifications-verification-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.23.1

Database specific

{
    "last_known_affected_version_range": "< 0.23.0"
}