github.com/edgexfoundry/edgex-go and github.com/edgexfoundry/device-sdk-go are vulnerable to authorization bypass. The vulnerability exists in BootstrapHandler
function in messaging.go
because it doesn’t remove MessageBus Options data from configuration after creating a message client which allows an attacker to bypass access controls and gain access to sensitive information.
github.com/edgexfoundry/device-sdk-go/commit/6e2217aa1a8b3508ce3f870e8bd5b28281c22161
github.com/edgexfoundry/device-sdk-go/pull/1161
github.com/edgexfoundry/edgex-go/commit/1da00045c508a7d59c26af6ad2625d77986b1a8c
github.com/edgexfoundry/edgex-go/pull/4016
github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q