Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2018-16487 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2015-5262 Vulnerability in maven package org.apache.httpcomponents:httpclient

CVE-2019-10174 Vulnerability in maven package org.infinispan:infinispan-commons

CVE-2021-39147 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk14

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory