CVE-2022-28802

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.)

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.zenity.io/blog/zapescape-organization-wide-control-over-code-by-zapier/	Mitigation Vendor Advisory
https://www.zenity.io/blog/zapescape-vulnerability-disclosure/	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zapier:code_by_zapier:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-21 20:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-28802

Mitre link : CVE-2022-28802

CVE.ORG link : CVE-2022-28802

JSON object : View

Products Affected

zapier

code_by_zapier

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2022-28802", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2022-09-21T20:15:10.027", "references": [{"url": "https://www.zenity.io/blog/zapescape-organization-wide-control-over-code-by-zapier/", "tags": ["Mitigation", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zenity.io/blog/zapescape-vulnerability-disclosure/", "tags": ["Mitigation", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.)"}, {"lang": "es", "value": "Code by Zapier versiones anteriores a 17-08-2022, permit\u00eda una escalada de privilegios dentro de la cuenta que inclu\u00eda una ejecuci\u00f3n de c\u00f3digo Python o JavaScript. En otras palabras, Code by Zapier estaba proporcionando una m\u00e1quina virtual de prop\u00f3sito general controlada por el cliente que involuntariamente otorgaba acceso completo a todos los usuarios de la cuenta de una empresa, pero supon\u00eda que deb\u00eda hacer cumplir el control de acceso basado en roles dentro de la cuenta de esa empresa. En versiones anteriores a 17-08-2022, un cliente podr\u00eda haber resuelto esto usando (en efecto) una m\u00e1quina virtual separada para una aplicaci\u00f3n que contuviera credenciales -u otros secretos- que no deb\u00edan ser compartidos entre todos sus empleados. (Se habr\u00edan necesitado varias cuentas para operar estas m\u00e1quinas virtuales independientes)"}], "lastModified": "2022-09-26T18:49:47.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zapier:code_by_zapier:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B4E1EBB-D5DC-4967-9B03-BB194D2DBEBE", "versionEndExcluding": "2022-08-17"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}