Accellion Kiteworks Authentication Bypass

Accellion Kiteworks versions prior to 2017.01.00 suffer from an authentication bypass vulnerability.


MD5 | cab63696d1530db7193b2c37c49a1b23

[Suggested description]

Authentication Bypass vulnerability in Accellionkiteworks before

2017.01.00 allows remote attackers to executecertain API calls on

behalf of a web user using a gathered token via aPOST request to

/oauth/token.



------------------------------------------



[Vulnerability Type]

Incorrect Access Control



------------------------------------------



[Vendor of Product]

Accellion



------------------------------------------



[Affected Product Code Base]

Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00



------------------------------------------



[Affected Component]

web user, token, API calls



------------------------------------------



[Attack Type]

Remote



------------------------------------------



[Impact Information Disclosure]

true



------------------------------------------



[CVE Impact Other]

Can create user accounts



------------------------------------------



[Attack Vectors]

To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.



------------------------------------------



[Has vendor confirmed or acknowledged thevulnerability?] true



------------------------------------------



[Discoverer]
Jerin Joy
Email: [email protected] <mailto:[email protected]>

Related Posts