SB2020040727 - Improper Authorization in Yahoo Elide Java library

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authorization (CVE-ID: CVE-2020-5289)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented authorization.

The vulnerability exists due to incorrect authorization checks. A remote authenticated attacker can "guess and check" the value of a model field they do not have access to assume they can read at least one other field in the model, then construct filter expressions for an inaccessible field to filter a collection and reconstruct the value of the inaccessible field.

Remediation

Install update from vendor's website.

References

• https://github.com/yahoo/elide/pull/1236
• https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc
• https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v