Security advisory

SupportCenter Plus Features Security advisory

V3 API authentication bypass vulnerability in SupportCenter Plus

Severity : Critical

CVE ID : CVE-2022-36412

Affected software version(s) : 11022, 11021, and 11020. Other versions remain unaffected.

Fixed version(s) : 11023

Fixed on : July 21, 2022

Details

This vulnerability allows an adversary to perform multiple operations using V3 APIs in SupportCenter Plus without the necessary credentials. The lack of a proper mechanism to flush out the previously authenticated users' credentials allows non-login users to perform V3 API operations.

Impact

This vulnerability allows unauthenticated users to perform any V3 API operations as someone else.

How have we fixed it?

We are now using proper API authentication to wipe the credentials of previous users.

Steps to upgrade

Customers must upgrade to the latest version of SupportCenter Plus (11023) using the appropriate migration path listed here.

Work-around/Fix

Customers must upgrade to the latest version of SupportCenter Plus (11023).

Acknowledgements

This vulnerability was reported by Raphael Cheneau.

World's Largest Organizations Rely On SupportCenter Plus