Improper Authorization

Affecting github.com/cockroachdb/cockroach/pkg/sql/sqlbase package, versions >=19.1.0 <19.1.16 || >=19.2.0 <19.2.2

Do your applications use this vulnerable package? Test your applications

Overview

github.com/cockroachdb/cockroach/pkg/sql/sqlbase is an open source, cloud-native SQL database.

Affected versions of this package are vulnerable to Improper Authorization. A non-admin authenticated user can call any admin endpoint, even if they should be admin-only operations, as long as the endpoint is visible over HTTP. It makes it possible for non-admin users to shut down a node or view SQL objects on which they have no permission.

Remediation

Upgrade github.com/cockroachdb/cockroach/pkg/sql/sqlbase to version 19.1.16, 19.2.2 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
kena
CWE
CWE-285
Snyk ID
SNYK-GOLANG-GITHUBCOMCOCKROACHDBCOCKROACHPKGSQLSQLBASE-536005
Disclosed
19 Nov, 2019
Published
27 Nov, 2019