Homepage
About Snyk

Authorization Bypass Through User-Controlled Key Affecting @oneuptime/common-server package, versions <7.0.1815

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ONEUPTIMECOMMONSERVER-6483320
  • published 25 Mar 2024
  • disclosed 24 Mar 2024
  • credit saunders-jake
Report a new vulnerability Found a mistake?

Introduced: 24 Mar 2024

CVE-2024-29194 Open this link in a new tab
CWE-639 Open this link in a new tab

How to fix?

Upgrade @oneuptime/common-server to version 7.0.1815 or higher.

Overview

@oneuptime/common-server is a The OneUptime Common Server Library is a collection of shared components, utilities that are used across the OneUptime platform. This library is built with Node.js and TypeScript. It includes utilities like database connection, and query builders, etc.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key. The is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    Low