Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2018-17197 Vulnerability in maven package org.apache.tika:tika-core

CVE-2022-45868 Vulnerability in maven package com.h2database:h2

CVE-2020-8215 Vulnerability in npm package canvas

CVE-2017-16036 Vulnerability in npm package badjs-sourcemap-server

CVE-2020-35209 Vulnerability in maven package io.atomix:atomix

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory