Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2020-8237 Vulnerability in maven package org.webjars.npm:json-bigint

CVE-2014-0121 Vulnerability in maven package io.hawt:hawtio-karaf-terminal

CVE-2019-3799 Vulnerability in maven package org.springframework.cloud:spring-cloud-config-server

CVE-2020-1925 Vulnerability in maven package org.apache.olingo:odata-client-core

CVE-2019-9843 Vulnerability in maven package com.diffplug.spotless:spotless-maven-plugin

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory