CVE-2022-38180

Vulnerability

Overview CVE-2022-38180 affects JetBrains Ktor, a Kotlin framework for building connected applications. The vulnerability arises from improper handling of nested authentication providers. When multiple authentication providers are configured with nesting, the selection logic can incorrectly choose the wrong provider for a given request [1]. This flaw was introduced in versions prior to 2.1.0 and is addressed in Pull Request #3092, which fixes the nesting of authentication providers [1].

Exploitation

Prerequisites An attacker can exploit this vulnerability without authentication, as the issue lies in the server-side selection of the authentication provider. The attack surface includes any Ktor application that uses multiple authentication providers in a nested configuration. By sending a crafted request, the attacker can trigger the misrouting, causing the application to apply an unintended authentication provider [1][3].

Impact

Successful exploitation could lead to authentication bypass, where an attacker gains access to resources that should be protected by a different, possibly stronger, authentication provider. Depending on the application's security model, this could allow unauthorized access to sensitive data or functionality. The CVSS score and severity are not explicitly given, but the vulnerability is considered moderate due to the prerequisite of a specific configuration [3].

Mitigation

JetBrains fixed this issue in Ktor version 2.1.0. Users are advised to upgrade to this version or later to eliminate the vulnerability. No workarounds have been documented [1][3].