Lucene search

Veracode Vulnerability DatabaseVERACODE:48363

HistoryAug 05, 2024 - 3:46 a.m.

Improper Authorization

2024-08-0503:46:59

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

bostr

improper authorization

validation

user access

api vulnerability

relay access

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

27.6%

JSON

bostr is vulnerable to Improper Authorization.The vulnerability is due improper validation which lets any user access the api even when the authorized_keys and noscraper is set to true. Attackers can exploit this by gaining access to the relay without proper authorization.

References

github.com/Yonle/bostr/blob/8665374a66e2afb9f92d0414b0d6f420a95d5d2d/auth.js#L21

github.com/Yonle/bostr/commit/49181f4ec9ae1472c6675cab56bbc01e723855af

github.com/Yonle/bostr/releases/tag/3.0.10

github.com/Yonle/bostr/security/advisories/GHSA-5cf7-cxrf-mq73