CVE-2021-22538

Privilege escalation in RBAC system

CVSS 6.3 MEDIUMEPSS 0.7%CWE-20

In short

A flaw in Google's Exposure Notification Verification Server allows someone with basic user-writing permissions to trick the system into creating a new user account with more powerful access rights than they should be able to grant. This happens because the system doesn't properly validate which permissions can be assigned.

Technical detail

Insufficient input validation in the RBAC permission assignment logic allows an attacker with UserWrite privileges to escalate permissions by crafting a malicious request or proxy manipulation to create users with elevated privileges. The vulnerability affects versions prior to 0.23.1 and is detectable through Event Log entries; exploitation requires both UserWrite permission and the ability to intercept or craft requests.

Summary generated and translated by AI from the official description.

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products

Google LLC · Exposure Notifications Verification Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95 https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1 https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0 https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6