JFrog Security Research
< Back

JFSA-2024-000510085 - VectorAdmin domain restriction authentication bypass

CVE-2024-0879 | CVSS 6.5

JFrog Severity:medium

Discovered ByNatan Nehoraiof the JFrog Security Research Team

Published 25 Jan, 2024 | Last updated 25 Jan, 2024

Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address.


No version tags. Fixed in commit a581b81

The admin user in the vector-admin server can define a list of domains which will prevent anyuser who does not own an email address under those domains from registering to the server. The registration portal itself does not require any other form of authentication except being from a registered domain.

The domain restriction check is being performed via the “includes” function, which only checks if a certain string is present on a supplied input, not if the string is a prefix or suffix.

No PoC is supplied for this issue

No mitigations are supplied for this issue

Fix commit

< Back