Skip to content

Authentication Bypass in Izanami

Critical
mathieuancelin published GHSA-9r7j-m337-792c Jan 11, 2023

Package

MAIF/izanami (Java jar)

Affected versions

< 1.11.0

Patched versions

1.11.0
docker maif/izanami (Docker)
< 1.11.0
1.11.0

Description

The issues

we discovered a way to bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami by doing the following steps :

  1. The attacker installs his own Izanami application.
  2. The attacker logs in and copies the content of the cookie named Izanami.
  3. The attacker connects to the victim’s website and creates a cookie named Izanami with the previous value.
  4. The attacker is successfully log-in, even if his user does not exist.

Affected versions

At the time this report is written, the version 1.10.22 was proven to be affected. Previous versions are likely to be vulnerable too.

Patched version

Version 1.11.0 fixes the issue. We strongly encourage you to upgrade your existing Izanami deployments to v1.11.0

Credits

This issue was discovered by Raphaël LOB from Synacktiv (https://www.synacktiv.com/)

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-22495

Weaknesses