Impact
In Conjur versions prior to 1.9.0, an authenticated role can rotate its own API key using only an access token. This could allow an attacker who first obtains an access token to then rotate the API key and subsequently gain control of the associated account through the default authenticator.
Patches
The problem has been resolved in Conjur 1.9.0.
CVSS
This issue is scored as 4.1 (Medium).
Workarounds
No
References
No
For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.
Impact
In Conjur versions prior to 1.9.0, an authenticated role can rotate its own API key using only an access token. This could allow an attacker who first obtains an access token to then rotate the API key and subsequently gain control of the associated account through the default authenticator.
Patches
The problem has been resolved in Conjur 1.9.0.
CVSS
This issue is scored as 4.1 (Medium).
Workarounds
No
References
No
For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.