La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2021-41554

CVE-2021-41554 – ARCHIBUS Web Central

Vulnerability Description: Multiple Broken Access Control- CWE-284
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41554
CVSv3: 8.8
Severity
: High
Credits:
 Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED **
ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints:

/archibus/schema/ab-edit-users.axvw/archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page.  This is fixed in all recent versions, such as version 26.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.