Ava-298: unauthorized read of vcore webhooks API
17th August 2020.
A logged in vcore user could view the configured webhooks using the vcore API without the appropriate permissions.
- vcore: All Beta Upgrade Channel versions before 2.4.2.
- vcore: All Stable Upgrade Channel versions before 2.4.2.
- vcore: All Beta Upgrade Channel versions after and including 2.4.2.
- vcore: All Stable Upgrade Channel versions after and including 2.4.2.
- vcloud: All versions
- vcam: All versions
This issue has been fixed in vcore Beta Upgrade Channel version 2.4.2 and Stable Upgrade Channel version 2.4.2.
We strongly recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore User Interface.
A logged in vcore user could view configured webhooks using the vcore API without the appropriate permissions. However, the impact of this vulnerability is mitigated if the deployment does not use webhooks or if the configured webhooks do not contain any sensitive information such as passwords or API tokens.
- CVE: Pending
- CVSSv3.1 score: 9.9 (Critical)
- CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
If your vcore deployment cannot be immediately upgraded to an unaffected version, we recommend deleting all webhooks containing sensitive information or locking all user accounts that do not have permissions to add, edit, or delete webhooks.
Issue found internally by Ava Security.
- 17/07/2020 Issue found internally by Ava Security
- 11/08/2020 Fix identified
- 14/08/2020 Patched vcore 2.4.2 (Beta upgrade channel) released
- 17/08/2020 Patched vcore 2.4.2 (Stable upgrade channel) released
- 17/08/2020 Vulnerability publicly disclosed