CVE-2020-11666

Vulnerability

CVE-2020-11666 is an access control flaw in the CA API Developer Portal versions 4.3.1 and earlier [1]. The vulnerability resides in the authorization logic, allowing a malicious user to bypass intended restrictions and elevate their privileges. The exact component or endpoint is not publicly detailed, but the flaw is present in the portal's access control enforcement [1].

Exploitation

An attacker must have a valid user account with low privileges on the portal [1]. The attacker then exploits the access control flaw by sending crafted requests that manipulate the authorization checks, causing the system to grant higher privileges than intended [1]. No user interaction is required beyond the attacker's own actions [1].

Impact

Successful exploitation allows the attacker to escalate their privileges to a higher level, potentially gaining administrative access [1]. This can lead to full control over the portal, including the ability to view, modify, or delete sensitive data, manage users, and perform other administrative actions [1].

Mitigation

Broadcom released a fix for this vulnerability in the CA API Developer Portal update announced on April 14, 2020 [1]. Customers should apply the vendor-supplied patch immediately. If patching is not possible, workarounds are not specified in the public advisory [1].