CVE-2022-45164

Vulnerability

The vulnerability is an authorization bypass in Archibus Web Central version 2022.03.01.107. The application exposes a service that allows any authenticated user to cancel (delete) a booking, even if that user was not the creator of the booking and is not a member of the associated booking group. No special privileges beyond a basic user account are required to reach this code path [1].

Exploitation

An attacker needs only a valid basic user account for the Archibus Web Central application. No additional network position, authentication level, or user interaction beyond normal authenticated access is required. The attacker can simply invoke the exposed service endpoint for any existing booking ID, including those created by other users, to perform the delete operation [1].

Impact

A successful attack results in unauthorized deletion of arbitrary bookings in the system. This can lead to denial of service for legitimate users who depend on those bookings, causing scheduling conflicts and loss of resource availability. The attacker does not gain elevated privileges or access to other data beyond the ability to cancel bookings [1].

Mitigation

As of the publication date (2023-01-10), the vendor has not released a fixed version or official workaround. Users should implement access control restrictions at the application layer or network level to restrict access to the vulnerable service until a patch is provided [1].