Lucene search

Veracode Vulnerability DatabaseVERACODE:47507

HistoryJun 13, 2024 - 5:43 a.m.

Improper Authentication

2024-06-1305:43:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

authentication

json web token

submarineconfvars

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.008

Percentile

82.3%

JSON

org.apache.submarine:submarine-commons-utils is vulnerable to Improper Authentication. The vulnerability is caused by a hard-coded JSON Web Token (JWT) key (SUBMARINE_SECRET_12345678901234567890) within SubmarineConfVars.java, which allows attackers to generate unauthorized JWT tokens, bypass authentication, and potentially gain access to sensitive data and functionality.

References

www.openwall.com/lists/oss-security/2024/06/12/2

github.com/advisories/GHSA-jwcg-wv5x-vg3g

github.com/apache/submarine/commit/7a1d551798c6785fc68fe028fc46f74c3ee6976d

github.com/apache/submarine/pull/1125

issues.apache.org/jira/browse/SUBMARINE-1417

lists.apache.org/thread/7mo0c7vbhpo8thvybl8wwvb0bccrg7r4

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.008

Percentile

82.3%

JSON

Related for VERACODE:47507