Zerobyte Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Zerobyte versions prior to 0.18.5 and 0.19.0. The issue arises because the authentication middleware is not properly enforced on certain API endpoints, allowing access without valid session credentials. This vulnerability is particularly concerning for users who have exposed Zerobyte to external networks.

Impact

Exploitation of this vulnerability allows unauthorized access to API endpoints, potentially leading to unauthorized data access or manipulation.

Reproduction

The vulnerability can be reproduced by sending requests to the API endpoints without any authentication credentials. This can be done using a tool like curl or Postman. The response will indicate that the request was successful, despite the absence of authentication.

Remediation

Users are advised to upgrade to Zerobyte versions 0.19.0 or 0.18.5, where this vulnerability has been patched. If an immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only, using firewall rules or network segmentation.