CVE-2022-25237
Published: 02 June 2022
Summary
CVE-2022-25237 is a critical-severity an unspecified weakness vulnerability in Bonitasoft Bonita Web. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Bonita Web 2021.2 contains an authentication and authorization bypass vulnerability in the RestAPIAuthorizationFilter component. The flaw stems from an overly broad exclude pattern that permits unauthenticated access to privileged REST API endpoints when an attacker appends ;i18ntranslation or /../i18ntranslation/ to a request URL. The issue received a CVSS v3.1 score of 9.8.
An unauthenticated remote attacker can leverage the bypass to reach administrative API actions that would otherwise require privileges. Successful exploitation enables remote code execution on the affected server.
The provided references consist of the Bonita Web GitHub repository and a detailed analysis from Rhino Security Labs; neither source supplies explicit patch or mitigation guidance within the given information. The EPSS score for this CVE currently stands at 0.9107 with a recorded peak of 0.9298.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29935
Vulnerability details
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API…
more
endpoints. This can lead to remote code execution by abusing the privileged API actions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.