Ava-298: unauthorized read of vcore webhooks API

Release Date

17th August 2020.

Overview

A logged in vcore user could view the configured webhooks using the vcore API without the appropriate permissions.

Affected Products

• vcore: All Beta Upgrade Channel versions before 2.4.2.
• vcore: All Stable Upgrade Channel versions before 2.4.2.

Unaffected Products

• vcore: All Beta Upgrade Channel versions after and including 2.4.2.
• vcore: All Stable Upgrade Channel versions after and including 2.4.2.
• vcloud: All versions
• vcam: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.4.2 and Stable Upgrade Channel version 2.4.2. We strongly recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore User Interface.

Vulnerability Information

A logged in vcore user could view configured webhooks using the vcore API without the appropriate permissions. However, the impact of this vulnerability is mitigated if the deployment does not use webhooks or if the configured webhooks do not contain any sensitive information such as passwords or API tokens.

• CVE: Pending
• CVSSv3.1 score: 9.9 (Critical)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Mitigations

If your vcore deployment cannot be immediately upgraded to an unaffected version, we recommend deleting all webhooks containing sensitive information or locking all user accounts that do not have permissions to add, edit, or delete webhooks.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/07/2020 Issue found internally by Ava Security
• 11/08/2020 Fix identified
• 14/08/2020 Patched vcore 2.4.2 (Beta upgrade channel) released
• 17/08/2020 Patched vcore 2.4.2 (Stable upgrade channel) released
• 17/08/2020 Advisory published internally
• 17/08/2020 Vulnerability publicly disclosed