CVE-2023-51663— Hail 安全漏洞

Hail authentication can be bypassed by changing email address

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change their email address, they could create accounts and use resources in clusters that they should not have access to. For example, a user could create a Microsoft or Google account and then change their email to `test@example.org`. This account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is `example.org`. The attacker is not able to access private data or impersonate another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and create Azure Tenants if they have Azure Active Directory Administrator access.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

使用候选名称进行的认证绕过

Hail 安全漏洞

Hail是一款基于 Python 的开源通用数据分析工具，具有用于处理基因组数据的附加数据类型和方法。 Hail 0.2.127之前版本存在安全漏洞，该漏洞源于Hail依靠 ID 令牌中的 OpenID Connect (OIDC) 电子邮件地址来验证用户域的有效性，但由于用户可以更改其电子邮件地址，因此用户可以创建其他帐户并使用他们不应访问的集群中的资源。

N/A

N/A