CVE-2013-7379 – tomato
Package
Manager: npm
Name: tomato
Vulnerable Version: >=0 <0.0.6
Severity
Level: Critical
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS: 0.0036 pctl0.57416
Details
API Admin Auth Weakness in tomato Versions of `tomato` prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex that password is, in less than 200 requests. ## Details The tomato API has an admin service that is enabled by setting up an `access_key` in the config options. This `access_key` is intended to protect the API admin from unauthorized access. Tomato verifies the `access_key` by checking to see if the server `access_key` incorporates the user provided value at any location. This allows an attacker to provide a single character as an `access_key`, and so long as the server key contains at least one instance of that character it will be considered a valid key. ## Proof of Concept This is the snippet of code that does the comparison to authorize requests. ``` if (access_key && config.master.api.access_key.indexOf(access_key) !== -1) { ``` For an access_key that is set to anything that includes the letter 'a' the following request would be authorized. ``` $ curl -X POST "http://localhost:8081/api/exec" -H "Content-Type: application/json" -d @test -H "access-key: a" { "cmd": "ls", "path": ".", "stdout": "app.js\nconfig.js\nlog\nnode_modules\nserver.js\n", "stderr": "" } ``` ## Recommendation Update to version 0.0.6 or later.
Metadata
Created: 2020-08-31T22:59:07Z
Modified: 2021-09-23T21:00:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9vxc-g2jx-qj3p/GHSA-9vxc-g2jx-qj3p.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-9vxc-g2jx-qj3p
Finding: F039
Auto approve: 1