Lucene search

Veracode Vulnerability DatabaseVERACODE:44908

HistoryJan 02, 2024 - 7:12 a.m.

Authentication Bypass

2024-01-0207:12:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

hail

authentication bypass

openid connect

email address validation

unauthorized access

organization domain

resource vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

hail is is vulnerable to Authentication Bypass. The vulnerability is due to improper validation while handling OpenID Connect (OIDC) email addresses. This lack of verification of the user’s email domain allows an attacker to manipulate their email address to match an organization’s domain with organization level permissions, allowing the attacker gain unauthorized access to some resources in Hail Batch clusters, such as the ability to run hail jobs.

CPENameOperatorVersion
haille0.2.126
haille0.2.126

CPE	Name	Operator	Version
	hail	le	0.2.126
	hail	le	0.2.126

References

github.com/hail-is/hail/commit/0dcc17ff24564b6f5592261d7975e8afd0f95de7

github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:44908