Ascertia SigningHub Access Control Vulnerability in User Account Creation
Vulnerability
A vulnerability in Ascertia SigningHub version 8.6.8 and prior allows attackers to bypass access controls on the Add User API, enabling the arbitrary creation of user accounts without any rate limiting. This lack of control can lead to resource exhaustion and a denial-of-service condition by overwhelming the system with a large number of accounts.
Impact
Exploitation of this vulnerability can cause resource exhaustion and denial-of-service conditions by flooding the application with excessive user accounts, leading to database bloating and increased server load.
Reproduction
To reproduce this vulnerability, authenticate as a user with permission to add accounts, and send repeated requests to the Add User API to create multiple user accounts. The absence of rate limiting allows this process to be automated, quickly generating a large number of accounts.
Remediation
Ascertia has released a patch for this vulnerability in SigningHub versions after 8.6.8. Users are advised to update to the latest version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.