CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Workflow Platform

Summary

Vulnerability List

[CVE-2021-28171] - Broken Authentication

[CVE-2021-28172] - Path Traversal

[CVE-2021-28173] - Unrestricted File Upload



Details

1. Broken Authentication

Description

The workflow server authenticates user by specific cookie.

Impact

Attackers can tamper specific cookie value to authenticate as any user without knowing their password.

Known Affected Software

  • version 4

2. Path Traversal

Description

There is a parameter affected by Path Traversal in download function.

Impact

Attackers can download any files on workflow server without privilege.

Known Affected Software

  • version 4

3. Unrestricted File Upload 

Description

There is an unauthenticated upload function that does not restrict the file type.

Impact

Attackers can upload file with any file extension, which leads to arbitrary code execution on workflow server without privilege.

Known Affected Software

  • version 4

Credits

  • Jiarong Chen (CHT Security)
  • Hans Wang (CHT Security)
  • TsungShu Chiu (CHT Security)