Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, and 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability. The latter makes a malicious user able to recover the JWT signing key by carefully crafting a malicious URL, and then forge arbitrary tokens to authenticate against the API as anyone else.
This vulnerability was discovered during a white-box audit, unveiling a flawed API route leading to an arbitrary file read, because of a user-controlled absolute path. By knowing the file path, an attacker could extract the JWT signing key, and forge authorisation tokens. It is worth noting that other elements must be known to make the attack successful.
Thanks to Nicolas who performed this test with me, and to the Abacus team for their cooperation !
Patched versions:
- >= 2024.210.16036
- >= 2023.205.15833
- >= 2022.205.15542
- testdeurdestylos