Cyber Resilience

CVE-2022-25237

CriticalPublic PoC

Published: 02 June 2022

Published
02 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9107 99.7th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25237 is a critical-severity an unspecified weakness vulnerability in Bonitasoft Bonita Web. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Bonita Web 2021.2 contains an authentication and authorization bypass vulnerability in the RestAPIAuthorizationFilter component. The flaw stems from an overly broad exclude pattern that permits unauthenticated access to privileged REST API endpoints when an attacker appends ;i18ntranslation or /../i18ntranslation/ to a request URL. The issue received a CVSS v3.1 score of 9.8.

An unauthenticated remote attacker can leverage the bypass to reach administrative API actions that would otherwise require privileges. Successful exploitation enables remote code execution on the affected server.

The provided references consist of the Bonita Web GitHub repository and a detailed analysis from Rhino Security Labs; neither source supplies explicit patch or mitigation guidance within the given information. The EPSS score for this CVE currently stands at 0.9107 with a recorded peak of 0.9298.

EU & UK References

Vulnerability details

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API…

more

endpoints. This can lead to remote code execution by abusing the privileged API actions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bonitasoft
bonita web
2021.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References