A flaw exists in the API v2 OAuth access token scope evaluation.
Tokens generated in API responses for signed launch links can be used as highly privileged API access tokens, allowing an attacker to carry out unauthorized API operations.
This vulnerability only impacts customers that meet all of the following criteria:
- Engine is version 2018.1 or above
- The v2 API is enabled (which is the default for these versions, but can be configured with the ApiEnableV2 setting)
- Signed launch links are currently in use
Note: Customers that do not expose the Engine v2 API publicly are at a lower risk. As well, signed launch link tokens typically have a short expiration time.
No recommended mitigations have been identified. Remediation requires upgrading to a fixed version.
220.127.116.11 and below
2019.1.18.505 and below
2018.1.26.575 and below
Exploit Use Identification
Unless an environment is configured to capture and log HTTP request headers, or full debug logging was previously enabled, conclusive evidence of this vulnerability being exploited is unattainable.
Access logs should be reviewed specifically for non-launch related api requests initiated from unusual IP addresses. After upgrading to a fixed version, access logs should be monitored for API requests that fail authorization. Positive results, in either case, may indicate attempts to exploit this vulnerability.