Skip to content

Authentication Bypass Using an Alternate Path or Channel and Authentication Bypass by Primary Weakness in rucio-webui

High severity GitHub Reviewed Published Oct 21, 2021 in rucio/rucio • Updated Apr 20, 2023

Package

pip rucio-webui (pip)

Affected versions

>= 1.26.0, < 1.26.7

Patched versions

1.26.7

Description

Impact

rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.

Rucio server / daemons are not affected by this issue, it is isolated to the webui.

Patches

This issue is fixed in the 1.26.7 release of the rucio-webui.

Workarounds

Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.

References

rucio/rucio#4928

References

@bari12 bari12 published to rucio/rucio Oct 21, 2021
Reviewed Oct 21, 2021
Published to the GitHub Advisory Database Oct 22, 2021
Last updated Apr 20, 2023

Severity

High

EPSS score

Weaknesses

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication. Learn more on MITRE.

Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-v988-828w-xvf2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.