io.openremote:openremote-manager@1.21.0

latest version

1.23.1

latest non vulnerable version

1.23.1

first published

1 years ago

latest version published

10 days ago

licenses detected

AGPL-3.0
[1.2.0,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the io.openremote:openremote-manager package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Access Control Bypass Affected versions of this package are vulnerable to Access Control Bypass via the `updateUserRealmRoles` function. An attacker can escalate privileges by invoking the API with a valid token from one realm to modify user roles in another realm, potentially granting administrative access to unauthorized users. How to fix Access Control Bypass? Upgrade `io.openremote:openremote-manager` to version 1.22.1 or higher.	[,1.22.1)
H Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection in the `rules engine` process. An attacker can execute arbitrary code on the server, read arbitrary files, steal environment variables including database credentials, and bypass multi-tenant isolation to access data across all realms by creating malicious JavaScript rulesets with the `write:rules` role due to insufficient sandboxing and authorization checks. How to fix Arbitrary Code Injection? Upgrade `io.openremote:openremote-manager` to version 1.22.0 or higher.	[,1.22.0)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass via the updateUserRealmRoles function. An attacker can escalate privileges by invoking the API with a valid token from one realm to modify user roles in another realm, potentially granting administrative access to unauthorized users.

How to fix Access Control Bypass?

Upgrade io.openremote:openremote-manager to version 1.22.1 or higher.

[,1.22.1)

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection in the rules engine process. An attacker can execute arbitrary code on the server, read arbitrary files, steal environment variables including database credentials, and bypass multi-tenant isolation to access data across all realms by creating malicious JavaScript rulesets with the write:rules role due to insufficient sandboxing and authorization checks.

How to fix Arbitrary Code Injection?

Upgrade io.openremote:openremote-manager to version 1.22.0 or higher.

[,1.22.0)

Go back to all versions of this package