| Title | RYMCU forest V1.0 Missing Authentication |
|---|
| Description | The application contains a critical security flaw in the bank management API where ANY authenticated user (regardless of role) can access sensitive financial information including all bank accounts, account balances, bank owners, and transaction details. This endpoint is located under /api/v1/admin/bank/ path, clearly indicating it should be restricted to administrators, yet while JWT authentication is enforced by Shiro filter chain, there is NO role-based authorization check to ensure the user is an administrator. |
|---|
| Source | ⚠️ https://github.com/rymcu/forest/issues/198 |
|---|
| User | 1098024193 (UID 45260) |
|---|
| Submission | 10/23/2025 11:34 (6 months ago) |
|---|
| Moderation | 11/09/2025 07:53 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 331644 [rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224 BankController.java GlobalResult authorization] |
|---|
| Points | 20 |
|---|