ID Product Version Vulnerability
CVE-2019-25020 Scytl Secure Vote (sVote) 2.1 Unauthenticated REST Endpoints leading to Secure-Data-Manager admin configuration leak

Description

All specified Jax-RS REST endpoints in the application don't require authentication.
An example can be found in the following file: evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/src/main/java/com/scytl/products/ov/sdm/ui/ws/rs/application/PreconfigurationResource.java

@RequestMapping(method = RequestMethod.POST, produces = "application/json") @ResponseStatus(value = HttpStatus.CREATED) @ApiOperation(value = "Get configuration", notes = "Service to retrieve the configuration of administration" + " boards and election events.", response = String.class) public String createElectionEvent() throws IOException { transactionInfoProvider.generate(tenantId, "", ""); secureLogger.log(Level.INFO, new LogContent.LogContentBuilder() .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZING_WITH_AP) .createLogInfo()); String result = null; if (!isAdminPortalEnabled) { LOGGER.info( "The application is configured to not have connectivity to Admin Portal, " + "check if this is the expected behavior"); secureLogger.log(Level.ERROR, new LogContent.LogContentBuilder() .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZATION_WITH_AP_FAILED) .additionalInfo("err_desc", "The application is configured to not have connectivity to Admin Portal, " + "check if this is the expected behavior") .createLogInfo()); } // call to end point to download data from administration portal else if (preconfigurationRepository.download(configFile)) { // process the download data result = preconfigurationRepository.readFromFileAndSave(configFile); } secureLogger.log(Level.INFO, new LogContent.LogContentBuilder() .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZED_WITH_AP_SUCCESSFULLY) .createLogInfo()); return result; } The admin portal is enabled by default: evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/sdmConfig/admin_portal.properties:adminPortal.enabled=true evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/preconfiguration/PreconfigurationRepositoryImpl.java: @Value("${adminPortal.enabled:true}") By sending a post request to the following api admin configurations can be recieved.: /sdm-ws-rest/preconfiguration

Disclosure Timeline

Credit

Jannis Kirschner & Anthony Schneiter from Team SUID