Announced: 2020-06-25
Vulnerability
A flaw exists in the API v2 OAuth access token scope evaluation.
Tokens generated in API responses for signed launch links can be used as highly privileged API access tokens, allowing an attacker to carry out unauthorized API operations.
Impacted Versions
20.1.5.89 and below
2019.1.18.505 and below
2018.1.26.575 and below
Customers Impacted
This vulnerability only impacts customers that meet all of the following criteria:
- Engine is version 2018.1 or above
- The v2 API is enabled (which is the default for these versions, but can be configured with the ApiEnableV2 setting)
- Signed launch links are currently in use
Note: Customers that do not expose the Engine v2 API publicly are at a lower risk. As well, signed launch link tokens typically have a short expiration time.
Discovery Date
2020-06-18
Mitigations
No recommended mitigations have been identified. Remediation requires upgrading to a fixed version.
Fixed Date
2020-06-24
Fixed Versions
20.1.6.108
2019.1.19.509
2018.1.27.581
Exploit Use Identification
Unless an environment is configured to capture and log HTTP request headers, or full debug logging was previously enabled, conclusive evidence of this vulnerability being exploited is unattainable.
Access logs should be reviewed specifically for non-launch related api requests initiated from unusual IP addresses. After upgrading to a fixed version, access logs should be monitored for API requests that fail authorization. Positive results, in either case, may indicate attempts to exploit this vulnerability.