Skip to content

Security (Cluster Token Disclosure (CVE-2022-46383))

Summary

Digital Rebar exposed a privileged token via a public API endpoint. The token can be used to escalate privileges within the Digital Rebar system and grant full administrative access.

Technical Details

Digital Rebar's High Availability (HA) implementation uses temporary authentication tokens to handle cluster authentication and memberships. These tokens are generated even if Digital Rebar is running in a single server setup.

A bug was discovered where the token was embedded in cluster details that are available to any authenticated user, including a Digital Rebar machine, via the Digital Rebar API. Due to the machine provisioning process, an unauthenticated user can create a machine token with limited privileges and discover this token.

Recommendations

A fix has been developed to hide these tokens within the Digital Rebar API. Digital Rebar users should update to the latest fixed version.

Affected Versions

Affected Versions Fixed Version
v4.5 and earlier v4.6.15
v4.6 v4.6.15
v4.7 v4.7.23
v4.8 v4.8.6
v4.9 v4.9.13
v4.10 v4.10.9

Common Vulnerability Scoring System (CVSS) Score

CVSS Base Score 10
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H