CVE-2022-44796 Escalation of privileges vulnerability in Object First
Note: Object First will continue to update this vulnerability as new information becomes available.
Date: 2022-10-24
Status: Final
CVEs: CVE-2022-44796
- Overview
- Affected Versions
- Remediation
- Revision History
Important note:
This vulnerability is related to the Object First Ootbi BETA version, which is not released for production and therefore has no impact on the production environment. The production-ready Object First Ootbi version will have this vulnerability fixed.
Summary
The authorization service has a flow which allows getting access to the Web UI without knowing credentials. For signing JWT token is used the secret key that is generated through a function which doesn’t produce crypto strong sequences.
Impact
An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI.
Vulnerability Scoring
| CVE | CVSS 3.x Score | Vector |
|---|---|---|
| CVE-2022-44796 | 9.8 (CRITICAL) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
| Resource | Hyperlink |
|---|---|
| NIST NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-44796 |
Affected Versions:
Object First Ootbi BETA build 1.0.7.712
Not affected versions:
Object First Ootbi 1.3.22.3043
Software Versions and Fixes
Fixed in Object First Ootbi BETA build 1.0.13.1611
Workaround
Update to Object First Ootbi BETA build 1.0.13.1611 or higher
Obtaining Software Fixes
Software updates will be available in Object First Update Manager. You can contact Support directly via email at support@objectfirst.com or via phone at +1 800 6657145.
Status of Notice
Final
Object First will continue to update information regarding this vulnerability as new details become available.
This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.
Revision History
| Revision # | Date | Comments |
|---|---|---|
| 1.0 | 2022-10-24 | Initial Public Release and Final Status |
| 2.0 | 2022-11-09 | Added CVE number and NVD reference |
| 3.0 | 2023-02-06 | Added Beta note |
| 4.0 | 2023-03-08 | Adjusted build and product names |