Security Bulletin
Security notifications affecting the IP Fabric solution published according to our Security Incident Response policy.
Upgrade information
Upgrade information can be found in the System Update section.
NIM-9199: Privilege escalation via Admin portal
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 5.0.2 or earlier | 6.0.1 |
A read-only user can create an escalated privilege account by taking advantage of token validation.
Tokens issued in the web app are accepted without proper validation. Using that, users of any privilege level can call an API endpoint for creating a new admin user account using their token. Then it is possible to escalate their privilege by logging into the new account.
NIM-9023: API Token privilege escalation
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 5.0.0, 5.0.1 or 5.0.2 | 6.0.1 |
Users can create an API token with RBAC properties that the token is not authorised for.
An API token can be generated that allows unauthorised collection of network data or modification of IP Fabric system settings.