Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2016-1000229 Vulnerability in maven package org.webjars:swagger-ui

CVE-2019-10365 Vulnerability in maven package org.jenkins-ci.plugins:google-kubernetes-engine

CVE-2019-19771 Vulnerability in npm package bs58chek

CVE-2016-10623 Vulnerability in npm package macaca-chromedriver-zxa

CVE-2022-21213 Vulnerability in maven package org.webjars.npm:mout

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory