Authorization Bypass Through User-Controlled Key Affecting @oneuptime/common-server package, versions <7.0.1815


Severity

0.0
high
0
10

    Threat Intelligence

    EPSS
    0.04% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ONEUPTIMECOMMONSERVER-6483320
  • published 25 Mar 2024
  • disclosed 24 Mar 2024
  • credit saunders-jake

How to fix?

Upgrade @oneuptime/common-server to version 7.0.1815 or higher.

Overview

@oneuptime/common-server is a The OneUptime Common Server Library is a collection of shared components, utilities that are used across the OneUptime platform. This library is built with Node.js and TypeScript. It includes utilities like database connection, and query builders, etc.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key. The is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    Low