medium
6.2
CWE
288 306
Advisory Published
Updated

CVE-2022-31022: Missing Role Based Access Control for the REST handlers in bleve/http package

First published: Wed Jun 01 2022(Updated: )

Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. There is no patch for this issue because the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Couchbase Bleve>=0.1.0

Remedy

https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-31022?

    CVE-2022-31022 is a vulnerability in the Bleve text indexing library for Go that allows exploitation of a node's filesystem where the Bleve index resides.

  • How does CVE-2022-31022 affect Couchbase Bleve?

    CVE-2022-31022 affects Couchbase Bleve versions 0.1.0 and newer.

  • What is the severity rating of CVE-2022-31022?

    The severity rating of CVE-2022-31022 is 5.5 (Medium).

  • How can CVE-2022-31022 be fixed?

    To fix CVE-2022-31022, it is recommended to update to a patched version of Bleve library.

  • Where can I find more information about CVE-2022-31022?

    You can find more information about CVE-2022-31022 on the GitHub page of Bleve and the associated security advisories.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203