#VU26647 Improper Authorization in Elide - CVE-2020-5289

Cybersecurity Help s.r.o.

Published: 2020-04-07

Vulnerability identifier: #VU26647

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-5289

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Elide
Web applications / JS libraries

Vendor: Yahoo

Description

The vulnerability allows a remote attacker to bypass implemented authorization.

The vulnerability exists due to incorrect authorization checks. A remote authenticated attacker can "guess and check" the value of a model field they do not have access to assume they can read at least one other field in the model, then construct filter expressions for an inaccessible field to filter a collection and reconstruct the value of the inaccessible field.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Elide: 1.0.0.2 - 4.5.13

External links
https://github.com/yahoo/elide/pull/1236
https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc
https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in Yahoo Elide Java library