Impact
Users using the VelaUX APIServer could be affected by this vulnerability.
VelaUX APIServer used the PlatformID as the signed key to generate the JWT tokens for users. Another API called getSystemInfo will expose the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication.
Patches
For users who're using v1.4, please update the v1.4.11.
For users who're using v1.5, please update the v1.5.3.
References
Fixed in #4634
For more information
If you have any questions or comments about this advisory:
Impact
Users using the VelaUX APIServer could be affected by this vulnerability.
VelaUX APIServer used the
PlatformIDas the signed key to generate the JWT tokens for users. Another API calledgetSystemInfowill expose the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication.Patches
For users who're using v1.4, please update the v1.4.11.
For users who're using v1.5, please update the v1.5.3.
References
Fixed in #4634
For more information
If you have any questions or comments about this advisory: