CVE-2022-44796 Escalation of privileges vulnerability in Object First

Note: Object First will continue to update this vulnerability as new information becomes available.

Date: 2022-10-24

Status: Final

CVEs: CVE-2022-44796

Summary

The authorization service has a flow which allows getting access to the Web UI without knowing credentials. For signing JWT token is used the secret key that is generated through a function which doesn’t produce crypto strong sequences.

Impact 

An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI.

Vulnerability Scoring

CVE CVSS 3.x Score Vector
CVE-2022-44796 9.8 (CRITICAL)  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

References

Resource Hyperlink
NIST NVD https://nvd.nist.gov/vuln/detail/CVE-2022-44796

Affected Versions:

Object First 1.0.7.712

Not affected versions:

N/A

Software Versions and Fixes

Fixed in Object First version 1.0.13.1611

Workaround

Update to Object First version 1.0.13.1611 or higher

Obtaining Software Fixes 

Software updates will be available in Object First Update Manager. You can contact Support directly via email at support@objectfirst.com or via phone at +1 800 6657145.

Status of Notice

Final

Object First will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.

Revision History 

Revision # Date Comments
1.0 2022-10-24 Initial Public Release and Final Status
2.0 2022-11-09 Added CVE number and NVD reference