logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-37705 onefuzz

Package

Manager: pip
Name: onefuzz
Vulnerable Version: >=2.12.0 <2.31.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

EPSS: 0.00708 pctl0.71321

Details

Improper Authorization and Origin Validation Error in OneFuzz ## Impact Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be: * Version 2.12.0 or greater * Deployed with the non-default [`--multi_tenant_domain`](https://github.com/microsoft/onefuzz/blob/2.30.0/src/deployment/deploy.py#L1021) option This can result in read/write access to private data such as: * Software vulnerability and crash information * Security testing tools * Proprietary code and symbols Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. ## Patches This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. ## Workarounds Users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option. ## References You can find an overview of the Microsoft Identity Platform [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview). This vulnerability applies to the multi-tenant application pattern, as described [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant). ## For more information If you have any questions or comments about this advisory: * Open an issue in [OneFuzz](https://github.com/microsoft/onefuzz) * Email us at [fuzzing@microsoft.com](mailto:fuzzing@microsoft.com)

Metadata

Created: 2021-08-13T20:16:32Z
Modified: 2024-10-07T16:44:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-q5vh-6whw-x745/GHSA-q5vh-6whw-x745.json
CWE IDs: ["CWE-285", "CWE-346", "CWE-863"]
Alternative ID: GHSA-q5vh-6whw-x745
Finding: F039
Auto approve: 1