{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30479?format=json","vulnerability_id":"VCID-t2gf-z94c-tyam","summary":"API Admin Auth Weakness\nTomato is a Node.js web framework.\n\nThe tomato API has an admin service that is enabled by setting up an access_key in the config options. This access_key is intended to protect the API admin from unauthorized access.\n\nThe key is checked by checking to see if the access_key provided in the request is within the configured access_key string, not equal to. So a single character that's within the access key is sufficient to bypass this control.\n\n### Example:\nThis is the snippet of code that does the comparison to authorize requests.\n\n```\nif (access_key && config.master.api.access_key.indexOf(access_key) !== -1) {\n```\n\nFor an access_key that is set to anything that includes the letter 'a' the following request would be authorized.\n\n```\n$ curl -X POST \"http://localhost:8081/api/exec\" -H \"Content-Type: application/json\" -d @test -H \"access-key: a\"\n{\n \"cmd\": \"ls\",\n \"path\": \".\",\n \"stdout\": \"app.js\\nconfig.js\\nlog\\nnode_modules\\nserver.js\\n\",\n \"stderr\": \"\"\n}\n```\n\n### Mitigating factors:\n\nThe admin interface is disabled by default. The module author confirmed that the access_key should really be an array of access_keys, however based on variable name and documentation it was not clear that it should be an array. The vulnerability exists only if a string access_key is set.\n\nModule version 0.0.6 has been updated to ensure an array of keys is provided as well as documentation updates.","aliases":[{"alias":"CVE-2013-7379"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6506?format=json","purl":"pkg:npm/tomato@0.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tomato@0.0.6"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6505?format=json","purl":"pkg:npm/tomato@0.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t2gf-z94c-tyam"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tomato@0.0.5"}],"references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7379","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7379"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/38.json","reference_id":"38","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/38.json"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":287,"name":"Improper Authentication","description":"When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"6.5 - 6.5","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2gf-z94c-tyam"}