V3 API authentication bypass vulnerability in SupportCenter Plus
Severity : Critical
CVE ID : CVE-2022-36412
Affected software version(s) : 11022, 11021, and 11020. Other versions remain unaffected.
Fixed version(s) : 11023
Fixed on : July 21, 2022
Details
This vulnerability allows an adversary to perform multiple operations using V3 APIs in SupportCenter Plus without the necessary credentials. The lack of a proper mechanism to flush out the previously authenticated users' credentials allows non-login users to perform V3 API operations.
Impact
This vulnerability allows unauthenticated users to perform any V3 API operations as someone else.
How have we fixed it?
We are now using proper API authentication to wipe the credentials of previous users.
Steps to upgrade
Customers must upgrade to the latest version of SupportCenter Plus (11023) using the appropriate migration path listed here.
Work-around/Fix
Customers must upgrade to the latest version of SupportCenter Plus (11023).
Acknowledgements
This vulnerability was reported by Raphael Cheneau.