Lucene search

Veracode Vulnerability DatabaseVERACODE:45795

HistoryMar 07, 2024 - 9:07 a.m.

Improper Authorization

2024-03-0709:07:13

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

casaos-userservice

improper authorization

path filtering

user avatar image

unauthorized access

regular expression

filepath parameter

directory access

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

github.com/IceWhaleTech/CasaOS-UserService is vulnerable to Improper Authorization. The vulnerability is due to improper path filtering in the URL of user avatar image files. The regular expression used in the code snippet fails to sufficiently restrict access, allowing unauthorized actors to potentially manipulate the filePath parameter and access files outside the intended directory.

CPENameOperatorVersion
github.com/icewhaletech/casaos-userservicelev0.4.4-3-alpha3
github.com/icewhaletech/casaos-userservicelev0.4.4-3-alpha3

CPE	Name	Operator	Version
	github.com/icewhaletech/casaos-userservice	le	v0.4.4-3-alpha3
	github.com/icewhaletech/casaos-userservice	le	v0.4.4-3-alpha3

References

github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for VERACODE:45795