GHSA-9rhq-86fm-qxqc

Suggest an improvement
Source
https://github.com/advisories/GHSA-9rhq-86fm-qxqc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-9rhq-86fm-qxqc/GHSA-9rhq-86fm-qxqc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9rhq-86fm-qxqc
Aliases
Published
2024-01-20T00:30:27Z
Modified
2024-01-30T20:14:03.118621Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Hard-coded credentials in org.folio:mod-data-export-spring
Details

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

Database specific
{
    "nvd_published_at": "2024-01-19T22:15:08Z",
    "cwe_ids": [
        "CWE-798"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-22T21:24:43Z"
}
References

Affected packages

Maven / org.folio:mod-data-export-spring

Package

Name
org.folio:mod-data-export-spring
View open source insights on deps.dev
Purl
pkg:maven/org.folio/mod-data-export-spring

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.4

Maven / org.folio:mod-data-export-spring

Package

Name
org.folio:mod-data-export-spring
View open source insights on deps.dev
Purl
pkg:maven/org.folio/mod-data-export-spring

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
3.0.0