CVE-2022-1996
Authorization Bypass vulnerability in go-restful (Go)
What is CVE-2022-1996 About?
This vulnerability is an Authorization Bypass Through User-Controlled Key in the `emicklei/go-restful` library prior to v3.8.0. It allows an attacker to bypass authorization mechanisms by manipulating user-controlled keys. The impact can range from unauthorized access to sensitive data or functions, and exploitation could be dependent on the application's specific use of the affected keys.
Affected Software
- github.com/emicklei/go-restful
- <2.16.0
- <2.16.0+incompatible
- github.com/emicklei/go-restful/v2
- >=2.7.1
- <=2.7.1
- github.com/emicklei/go-restful/v3
- >3.0.0, <3.8.0
Technical Details
The emicklei/go-restful library, in versions prior to v3.8.0, is vulnerable to an authorization bypass. This occurs because certain keys, which are meant to securely control access or authorization decisions, can be manipulated by a user. The mechanism likely involves the application or library failing to properly validate or sanitize user-supplied input used as a key in authorization checks. An attacker can craft a request or input that alters the value of this user-controlled key, causing the authorization logic to evaluate it unexpectedly, thereby granting unauthorized access to resources or functionalities that should otherwise be restricted.
What is the Impact of CVE-2022-1996?
Successful exploitation may allow attackers to bypass intended authorization controls, gaining unauthorized access to sensitive resources, performing privileged actions, or exfiltrating confidential information.
What is the Exploitability of CVE-2022-1996?
Exploitation requires the ability to manipulate specific user-controlled keys that influence authorization decisions within applications built with emicklei/go-restful. The complexity may vary depending on how these keys are exposed and what kind of input validation is in place, but it's generally low for an attacker who understands the application's structure. Authentication requirements depend on whether the vulnerable key can be manipulated by unauthenticated users or if prior authentication is needed to interact with the API endpoints that use these keys. Privilege levels are generally low, as the goal is to elevate privileges or access restricted areas. This is typically a remote exploit where an attacker sends crafted requests. The likelihood of exploitation increases significantly if the application directly uses user-supplied values as authorization keys without strict validation or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1996?
About the Fix from Resolved Security
Available Upgrade Options
- github.com/emicklei/go-restful
- <2.16.0+incompatible → Upgrade to 2.16.0+incompatible
- github.com/emicklei/go-restful
- <2.16.0 → Upgrade to 2.16.0
- github.com/emicklei/go-restful/v3
- >3.0.0, <3.8.0 → Upgrade to 3.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20220923-0005
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/
- https://osv.dev/vulnerability/GO-2022-0619
- https://github.com/emicklei/go-restful/issues/489
- https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1
- https://osv.dev/vulnerability/GHSA-r48q-9g5r-8q2h
- https://github.com/emicklei/go-restful
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/
- https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1
What are Similar Vulnerabilities to CVE-2022-1996?
Similar Vulnerabilities: CVE-2022-22947 , CVE-2022-22965 , CVE-2022-0847 , CVE-2021-43846 , CVE-2021-33924
