Improper Access Control

github.com/google/exposure-notifications-server is vulnerable to Improper Access Control. The vulnerability is due to the service incorrectly assuming that the source server had properly embargoed keys for at least 2 hours after their expiry, which could allow expired keys to be re-published and...

GO-2022-0381 Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server

Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server...

Insecure Keys Management

github.com/google/exposure-notifications-server uses an insecure key management. An attacker can re-publish imported keys before they have expired, allowing for potential replay of RPIs...

Import of incorrectly embargoed keys could cause early publication

Impact If your installation is using the export-importer service, there is potential impact. If your installation is not importing keys via the export-importer services, your installation is not impacted. In versions 0.19.1 and earlier, the export-importer service assumed that the server it was...

Phabricator: SSRF in notifications.server configuration

Modifying the notification server settings so that it connects to a malicious server. An attacker is able to redirect traffic from the vulnerable application to internal or external network resources. Steps To Reproduce: --------------------- 1. Open your phabricator installation authenticated wi...