Bareos Command ACL Circumvention via Abbreviation (GHSA-jfww-q346-r2r8)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Negative command ACLs can be circumvented by abbreviating commands - Publisher: pstorz - Vulnerability ID: GHSA-jfww-q346-r2r8 - Release Time: 8 hours ago 2. Affected Versions: - Package Name: bareos-director - Affected Versions: - >= 23.0.0, = 22.0.0, < 22.1.6 - < 21.1.11 3. Fixed Versions: - 23.0.4 - 22.1.6 - 21.1.11 4. Severity: - Severity Level: High - CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: High 5. Vulnerability Description: - When command ACLs are in place, if a user executes a command in bconsole using an abbreviation (e.g., "w" instead of "whoami"), the ACL check is applied to the abbreviated command (e.g., "w") rather than the full command (e.g., "whoami"). If the command ACL is configured with a negative ACL to block the "whoami" command, the user can still successfully execute "w" or "who" as a command. 6. Affected Users: - Users of Bareos versions prior to 23.0.4 (up to 23.0.0), prior to 22.1.6 (up to 22.0.0), prior to 21.1.11 (up to 21.0.0), and any older versions who use command ACLs may be affected. 7. Remediation: - The fix for this issue is included in Bareos versions 23.0.4, 22.1.6, and 21.1.11. 8. Workaround: - If only positive command ACLs (without any negative restrictions) are used, the issue will not occur. 9. Reference Links: - WebUI Profile Resource Configuration - Command ACL documentation - Pull request containing the fix This information helps understand the nature of the vulnerability, its scope of impact, and how to remediate or work around it.

Goal Reached Thanks to every supporter — we hit 100%!

Bareos Command ACL Circumvention via Abbreviation (GHSA-jfww-q346-r2r8)

More from this source