Skip to content
This repository was archived by the owner on Jul 12, 2023. It is now read-only.

Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server

Moderate
sethvargo published GHSA-wx8q-rgfr-cf6v Nov 9, 2021

Package

gomod github.com/google/exposure-notifications-verification-server (Go)

Affected versions

< 1.1.2

Patched versions

1.1.2

Description

Impact

Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.

Patches

v1.1.2+

Workarounds

There are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).

For more information

Contact [email protected]

Severity

Moderate

CVE ID

CVE-2021-22565

Weaknesses

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. Learn more on MITRE.

Credits