CVE-2022-24721 Incorrect Authorization in org.cometd.oort

2022-03-1513:45:13

CWE-863

GitHub_M

www.cve.org

cve-2022-24721

incorrect authorization

org.cometd.oort

oort channels

seti channels

remote user

sensitive data

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

46.3%

JSON

CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users’ (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user’s data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom SecurityPolicy that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.

CNA Affected

[
  {
    "product": "cometd",
    "vendor": "cometd",
    "versions": [
      {
        "status": "affected",
        "version": "< 5.0.11"
      },
      {
        "status": "affected",
        "version": ">= 6.0.0, < 6.0.6"
      },
      {
        "status": "affected",
        "version": ">= 7.0.0, < 7.0.6"
      }
    ]
  }
]