CVE-2022-25237: Bonitasoft Authorization Bypass and RCE

Bonitasoft has 5M+ downloads from Dockerhub, it is a business automation platform allowing to more easily build, deploy and manage automation applications in business processes.

From the vendor’s website:

Bonita is an open-source and extensible platform for business process automation and optimization.  Bonita Platform accelerates the development, go-to-production, and maintenance of automation projects.  While allowing users to execute tasks that impact their business data, it also efficiently integrates with existing information systems and orchestrates heterogeneous systems, some of them being soft robots.
It provides deep visibility of process execution across the organization through its embedded end-user applications or the Living applications built by the project team to perfectly fit the business needs.

The web.xml file for a Tomcat Java application defines the routes within the application. It also can define how the authentication and authorization of routes in the application are handled. It is always one of the first places to look for potential authentication and authorization bypasses. Specifically, the “filters” defined in the web.xml can often be fruitful as they can determine what should or should not be filtered with authorization to access a particular route.

The following authorization filters specify an excludePattern parameter of “i18ntranslation” and then pass the parameter to 2 different filter classes: RestAPIAuthorizationFilter, TokenValidatorFilter.

Taking a look at these filters they both extend the AbstractAuthorizationFilter, which contains the doFilter method. Inside the doFilter method. A check using the “sessionIsNotNeeded” function is used, which will continue the application flow if it returns true.

The sessionIsNotNeeded function shown below checks for excludePatterns in URLs. If the URL contains this pattern in the path then the authorization filter is bypassed allowing access to the resource.

As we saw in the web.xml, the pattern which is passed in this parameter is “i18ntranslation” This means if this string is anywhere in the URL path, it will allow authorization/authentication to be bypassed for the API endpoints.

Two values were found that work to accomplish this. Simply appending either “/i18ntranslation/../” or “;i18ntranslation” to the API URL will allow authorization to be bypassed.

Caveat:  Although this technically allows a full authentication bypass, its not able to be exploited without a valid user session.  The user doesn’t need permissions, as long as they have a valid session token. In the case of a null session, the application will error out if it is unable to lookup values based on the session token, causing the bypass to fail.

To run the vulnerable version of Bonita, you can use the docker repository:

docker run –name CVE-2022-25237 -d -p 8080:8080 bonita:7.13.0

Log into http://localhost:8080/bonita and create a low privileged user in the “User” profile.  We have published a PoC that achieves code execution on our CVE GitHub repository.