Do your applications use this vulnerable package? Test your applications

Overview

github.com/google/exposure-notifications-verification-server/pkg/rbac is a Package rbac implements authorization.

Affected versions of this package are vulnerable to Privilege Escalation. A privilege escalation exists which allows an attacker who

  • (1) has UserWrite permissions
  • (2) is using a carefully crafted request or malicious proxy

to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Remediation

Upgrade github.com/google/exposure-notifications-verification-server/pkg/rbac to version 0.23.1 or higher.

References

CVSS Score

6.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2021-22538
CWE
CWE-264
Snyk ID
SNYK-GOLANG-GITHUBCOMGOOGLEEXPOSURENOTIFICATIONSVERIFICATIONSERVERPKGRBAC-1090179
Disclosed
01 Apr, 2021
Published
01 Apr, 2021