Skip to content

Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server

Moderate
sethvargo published GHSA-wx8q-rgfr-cf6v Nov 9, 2021

Package

gomod github.com/google/exposure-notifications-verification-server (Go)

Affected versions

< 1.1.2

Patched versions

1.1.2

Description

Impact

Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.

Patches

v1.1.2+

Workarounds

There are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).

For more information

Contact exposure-notifications-feedback@google.com

Severity

Moderate

CVE ID

CVE-2021-22565

Weaknesses

Credits