org.cometd.java:cometd-java-oort is vulnerable to improper authorization. Remote attackers are able to subscribe and publish to Oort
and Seti
channels due to improper authorization, allowing interception of internal cluster traffic. As a result the remote attackers are able to create/modify/delete other user’s data and modify the cluster structure.
github.com/cometd/cometd/commit/0246a6dd744e692b55eec95e114a9e234eced260
github.com/cometd/cometd/commit/62eac518697013e1bb7dc573547cc89e55015cdc
github.com/cometd/cometd/commit/bb445a143fbf320f17c62e340455cd74acfb5929
github.com/cometd/cometd/issues/1146
github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv