I told you there are more CVEs coming! Getting to the end of this chunk finally! There are only 3 more CVEs I have reserved which are waiting on developer confirmation/responsible disclosure dates to pass.
Anyway, these were found the same nights as the other ones but we found they only affect version 0.5.5 so not the current version at the time of our testing. So we saw them as less of a priority. Since they were also assigned CVEs figured I’d get a brief overview about them! Again this was with my co-worker at nVisium, Bruno Hernández (GitHub and LinkedIn).
CVE-2022-34615 is self-explanatory. Mealie v0.5.5 was found to support a weak password policy. This makes dictionary or brute force attacks trivial. In this case, one character passwords were allowed.
CVE-2022-34621 is a Insecure Direct Object Reference (IDOR) vulnerability. Specifically the “user_id” parameter was vulnerable across all instances of it. This allowed any authenticated user to change the password of any other user (including administrators) as well as change their profile images or whatever else.
CVE-2022-34623 is a user enumeration vulnerability. When attempting to log in, if you put a proper username and an improper password the application takes a significantly longer time to respond compared to a improper user and improper password. This allows an unauthenticated attacker to determine what usernames/emails are registered on the application.
CVE-2022-34624 is a session termination/expiration issue. Specifically the JWT used to download files do not expire after logout or in a reasonable amount of time. This means that any attacker within a Man-In-The-Middle (MiTM) position or anyone with access to the web server logs can reuse the user’s download token to download the file.