This security advisory addresses the authentication bypass vulnerability for V3 APIs in SupportCenter Plus due to retained credentials in thread-local.
This vulnerability affects customers using versions 11022, 11021, and 11020 of SupportCenter Plus, and we strongly urge all customers to upgrade to the latest version of SupportCenter Plus immediately. This vulnerability does not affect versions below 11020.
This vulnerability allows an adversary to perform multiple operations using V3 APIs in SupportCenter Plus without the necessary credentials and access. The lack of a proper mechanism to flush out user credentials after an API call execution allowed non-login users to perform V3 API operations as the previously authenticated user in the application.
What lead to the vulnerability?
The lack of a proper mechanism to flush out user credentials after an API call execution lead to this vulnerability.
Who is affected?
This vulnerability affects SupportCenter Plus customers using versions 11022, 11021, and 11020.
How have we fixed it?
We are now using proper API authentication to wipe the credentials stored in thread-local.
How to find out if you are affected
Click the Help link in the top-right corner of the SupportCenter Plus web client, and select About from the drop-down to see your current version. Your installation is vulnerable if your current version of SupportCenter Plus is 11022, 11021 and 11020.
Please follow this forum post for any further updates regarding this vulnerability.
What you can do
SupportCenter Plus customers who fit the above criteria can upgrade to the latest version (11023) using the appropriate migration path.
Important note: As always, make a copy of your entire SupportCenter Plus installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all of your settings intact. If you are using Microsoft SQL Server as a back-end database, back up the SupportCenter Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at firstname.lastname@example.org.