Kob Access Control Vulnerability in OperationFilter Component
Vulnerability
A vulnerability has been identified in the Kob application, specifically in version 1.0.0-SNAPSHOT. The issue arises from incorrect access control in the 'doFilter' function of the 'OperationFilter' class, which allows attackers to bypass authentication and access sensitive API information without authorization. This is achieved by exploiting the way request URIs are processed, enabling the use of crafted payloads to manipulate access to protected resources.
Impact
Exploitation of this vulnerability allows unauthorized access to sensitive information via the application's API, potentially exposing confidential data or functionality.
Reproduction
To reproduce this vulnerability, send a request to the '/node/server_node_list.json' endpoint without any authorization. The request will be redirected to an admin login page. However, if the request is sent to '/static/../node/server_node_list.json', the authentication check is bypassed, and access to the node's information is granted.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.