Advisory Report for M-Vault Denial of Service Vulnerability

Summary	Incorrect Access Control Vulnerability
Release Date	21st December 2022
Product	M-Link
Version(s)	16.2v1 to 17.0v23
CVE ID	CVE-2022-47634

Summary of vulnerability

This advisory discloses a critical vulnerability introduced in version R16.2v1 of M-Link. The following versions are affected by this vulnerability:

M-Link R16.2v1 to R17.0v23.

There is a bug where, after successful authentication as a non-administrative user, an attacker with knowledge of the correct HTTP URLs is able to access and manipulate archive data.

Severity

Isode rates the severity level of this vulnerability as medium, according to the CVSS system (details can be found at www.first.org).

Mitigation

This vulnerability has been fixed in M-Link R17.0v24 and affected services are advised to immediately upgrade to this version. Current later versions (such as the subsequent major release R19.2) are not affected by this vulnerability.

Acknowledgements

This vulnerability was discovered, with thanks from Isode, by Jerome Nokin of the NATO Cyber Security Centre (NCSC).

Advisory ReportM-Link Incorrect Access Control VulnerabilityWednesday 21st December 2022

Summary of vulnerability

Severity

Mitigation

Acknowledgements