Security (Cluster Token Disclosure (CVE-2022-46383))
Summary¶
Digital Rebar exposed a privileged token via a public API endpoint. The token can be used to escalate privileges within the Digital Rebar system and grant full administrative access.
Technical Details¶
Digital Rebar's High Availability (HA) implementation uses temporary authentication tokens to handle cluster authentication and memberships. These tokens are generated even if Digital Rebar is running in a single server setup.
A bug was discovered where the token was embedded in cluster details that are available to any authenticated user, including a Digital Rebar machine, via the Digital Rebar API. Due to the machine provisioning process, an unauthenticated user can create a machine token with limited privileges and discover this token.
Recommendations¶
A fix has been developed to hide these tokens within the Digital Rebar API. Digital Rebar users should update to the latest fixed version.
Affected Versions¶
| Affected Versions | Fixed Version |
|---|---|
| v4.5 and earlier | v4.6.15 |
| v4.6 | v4.6.15 |
| v4.7 | v4.7.23 |
| v4.8 | v4.8.6 |
| v4.9 | v4.9.13 |
| v4.10 | v4.10.9 |
Common Vulnerability Scoring System (CVSS) Score¶
| CVSS Base Score | 10 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H