CVE-2022-46163

 

Published at: - 10-01-2023 10:15

Last modified: - 20-01-2023 06:55

Total changes: - 3

Description

Travel support program is a rails app to support the travel support program of openSUSE (TSP). Sensitive user data (bank account details, password Hash) can be extracted via Ransack query injection. Every deployment of travel-support-program below the patched version is affected. The travel-support-program uses the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. The `*_start`, `*_end` or `*_cont` search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force (A match is indicated by the returned JSON not being empty). A single bank account number can be extracted with <200 requests, a password hash can be extracted with ~1200 requests, all within a few minutes. The problem has been patched in commit d22916275c51500b4004933ff1b0a69bc807b2b7. In order to work around this issue, you can also cherry pick that patch, however it will not work without the Rails 5.0 migration that was done in #150, which in turn had quite a few pull requests it depended on.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://github.com/openSUSE/travel-support-program/commit/d22916275c51500b4004933ff1b0a69bc807b2b7
• https://github.com/openSUSE/travel-support-program/pull/158
• https://github.com/openSUSE/travel-support-program/security/advisories/GHSA-2wwv-c6xh-cf68

 

Keywords

NVD

 

CVE-2022-46163

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures