Privilege Escalation in github.com/google/exposure-notifications-verification-server/pkg/rbac

Do your applications use this vulnerable package? Test your applications

Overview

github.com/google/exposure-notifications-verification-server/pkg/rbac is a Package rbac implements authorization.

Affected versions of this package are vulnerable to Privilege Escalation. A privilege escalation exists which allows an attacker who

(1) has UserWrite permissions
(2) is using a carefully crafted request or malicious proxy

to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Remediation

Upgrade github.com/google/exposure-notifications-verification-server/pkg/rbac to version 0.23.1 or higher.

References

Attack Vector

Network
Attack Complexity

Low
Privileges Required

Low
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

Low

Credit: Unknown
CVE: CVE-2021-22538
CWE: CWE-264
Snyk ID: SNYK-GOLANG-GITHUBCOMGOOGLEEXPOSURENOTIFICATIONSVERIFICATIONSERVERPKGRBAC-1090179
Disclosed: 01 Apr, 2021
Published: 01 Apr, 2021

Privilege Escalation
Affecting github.com/google/exposure-notifications-verification-server/pkg/rbac package, versions <0.23.1

Overview

Remediation

References

CVSS Score

Privilege Escalation Affecting github.com/google/exposure-notifications-verification-server/pkg/rbac package, versions <0.23.1

Overview

Remediation

References

Privilege Escalation
Affecting github.com/google/exposure-notifications-verification-server/pkg/rbac package, versions <0.23.1