CVE-2022-0860 Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
This issue was fixed in 3.3.2 or later. There is another type of authorization that you may need to be aware of, which is improper authorization. This issue happens when an app is sharing a repository with another app, with the expectation that they both have the same access to the repo. In reality, only one app may have the access, so this issue is another form of improper authorization. You can avoid this issue by making sure that the other app has the appropriate access to the repo. You can do this by using the App Accessibility feature. You’ll need to be sure to share the repo with the other app in the Repository Settings for your app.
Improper Authorization
Improper authorization occurs when an app is sharing a repository with another app but one of the apps does not have the appropriate access to the repo. This happens most often when two apps share a repository because they both expect to have the same access to it. This issue can also be seen if you remove permissions that an app should have and their information is still present in your app’s Repository settings.
Timeline
Published on: 03/11/2022 13:15:00 UTC
Last modified on: 05/23/2022 22:05:00 UTC
References
- https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d
- https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0860