@valtimo/components exposes access token to form.io
CVE-2024-34706

9.8CRITICAL

Key Information:

Vendor

Valtimo-platform

Status
Valtimo-frontend-libraries
Vendor
CVE Published:
14 May 2024

What is CVE-2024-34706?

Valtimo is an open-source business process and case management platform that has been identified with a vulnerability where user access tokens (JWT) can be exposed through the x-jwt-token header when a form is accessed. This misconfiguration of the Form.io component permits attackers with network traffic access on api.form.io to collect sensitive personal information or to perform unauthorized API requests on behalf of the logged-in users. The exploitation requires that the attacker has visibility on the token’s header logging and can access the Valtimo API within the access token's time-to-live, which defaults to 5 minutes in Keycloak. Versions 10.8.4, 11.1.6, and 11.2.2 have been released with patches addressing this issue.

Affected Version(s)

valtimo-frontend-libraries < 10.8.4 < 10.8.4

valtimo-frontend-libraries >= 11.0.0, < 11.1.6 < 11.0.0, 11.1.6

valtimo-frontend-libraries >= 11.2.0, < 11.2.2 < 11.2.0, 11.2.2

References

https://github.com/valtimo-platform/valtimo-frontend-libr...
x_refsource_CONFIRM
https://github.com/valtimo-platform/valtimo-frontend-libr...
x_refsource_MISC
https://github.com/valtimo-platform/valtimo-frontend-libr...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.