CVE-2022-24721

Description

### Impact Internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other user's (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. The issue impacts any version up to 5.0.10, 6.0.5 and 7.0.5. ### Patches The issue has been fixed in 5.0.11, 6.0.6 and 7.0.6. ### Workarounds The workaround is to install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels. This workaround could be implemented in any affected version. ### References cometd/cometd#1146 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Credits https://www.redteam-pentesting.de/

How to fix CVE-2022-24721

To remediate CVE-2022-24721, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.11 or later

Is CVE-2022-24721 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.0.11

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24721
• PATCHgithub.com/cometd/cometd
• WEBgithub.com/cometd/cometd/commit/bb445a143fbf320f17c62e340455cd74acfb5929
• WEBgithub.com/cometd/cometd/issues/1146
• WEB