An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611.
References
Link | Resource |
---|---|
https://objectfirst.com/security/of-20221024-0002/ | Vendor Advisory |
Configurations
History
17 Mar 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
Summary | An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611. |
08 Nov 2022, 04:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-338 | |
References | (MISC) https://objectfirst.com/security/of-20221024-0002/ - Vendor Advisory | |
First Time |
Objectfirst
Objectfirst object First |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:objectfirst:object_first:*:*:*:*:*:*:*:* |
07 Nov 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-07 04:15
Updated : 2023-03-17 21:15
NVD link : CVE-2022-44796
Mitre link : CVE-2022-44796
CVE.ORG link : CVE-2022-44796
JSON object : View
Products Affected
objectfirst
- object_first
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)