CVE-2022-25237 in Web
Summary
by MITRE • 06/02/2022
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2022
The vulnerability identified as CVE-2022-25237 affects Bonita Web version 2021.2 and represents a critical authentication and authorization bypass flaw that undermines the application's security controls. This issue stems from a poorly configured access control mechanism within the RestAPIAuthorizationFilter component, which is responsible for enforcing security boundaries around privileged API endpoints. The flaw manifests when attackers manipulate URL paths through specific appendages that exploit the overly permissive exclusion patterns implemented in the authorization filter. The vulnerability's technical nature allows malicious actors to bypass intended access restrictions by appending either ;i18ntranslation or /../i18ntranslation/ to target URLs, effectively circumventing the authentication checks that should prevent unauthorized access to sensitive administrative functions.
The operational impact of this vulnerability extends beyond simple unauthorized access, creating a pathway for remote code execution through the abuse of privileged API actions. When attackers successfully exploit this bypass, they gain access to administrative capabilities that would normally be restricted to authorized users with proper credentials and permissions. This creates a severe risk landscape where unauthenticated attackers can potentially execute arbitrary code on the affected system, leading to full system compromise. The vulnerability's exploitation demonstrates a classic path to privilege escalation through path traversal and URL manipulation techniques that have been documented in various security frameworks and attack methodologies. The issue directly relates to CWE-285, which addresses improper authorization vulnerabilities, and aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through exploitation of web application vulnerabilities.
The root cause of this vulnerability lies in the implementation of the RestAPIAuthorizationFilter's exclusion patterns, which fail to properly validate or sanitize user-supplied URL components before determining access permissions. The overly broad exclusion patterns create a security gap where legitimate path traversal sequences can be used to bypass authorization checks entirely. This flaw represents a common class of web application security issues where input validation and access control mechanisms are insufficiently implemented or configured. Organizations using Bonita Web 2021.2 are particularly vulnerable because the default configuration allows for this type of path manipulation to succeed in bypassing security controls. The vulnerability's severity is compounded by the fact that it requires minimal effort to exploit, making it attractive to threat actors who can leverage it for various malicious activities including data exfiltration, system compromise, and persistent access to the affected environment. Security professionals should note that this vulnerability demonstrates the importance of proper access control implementation and the dangers of overly permissive security configurations that fail to adequately validate user input and request paths.