Skip to main content

CVE-2022-24721: CWE-863: Incorrect Authorization in cometd cometd

Medium
Published: Tue Mar 15 2022 (03/15/2022, 13:45:13 UTC)
Source: CVE
Vendor/Project: cometd
Product: cometd

Description

CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.

AI-Powered Analysis

AILast updated: 06/23/2025, 13:35:59 UTC

Technical Analysis

CVE-2022-24721 is a medium-severity vulnerability affecting the CometD project, a scalable comet implementation used for web messaging. The vulnerability arises from incorrect authorization (CWE-863) in the handling of internal Oort and Seti channels in CometD versions prior to 5.0.11, 6.0.6, and 7.0.6. These channels are intended for internal cluster communication and should not be accessible to remote users. However, due to improper authorization checks, any remote user can subscribe to and publish messages on these channels. Subscribing to these channels allows an attacker to eavesdrop on cluster-internal traffic, potentially exposing sensitive data belonging to other users. Publishing to these channels enables an attacker to create, modify, or delete data of other users and alter the cluster structure, which could disrupt service integrity and availability. The vulnerability does not require authentication or user interaction, making exploitation relatively straightforward for any remote user with network access to the CometD service. The issue is addressed in CometD versions 5.0.11, 6.0.6, and 7.0.6. As an interim mitigation, deploying a custom SecurityPolicy that restricts subscription and publishing rights on Oort and Seti channels for remote, non-Oort sessions is recommended. No known exploits have been reported in the wild as of the published date in March 2022.

Potential Impact

For European organizations using vulnerable versions of CometD, this vulnerability poses significant risks to confidentiality, integrity, and availability of internal cluster communications. Confidentiality is compromised as attackers can intercept sensitive data exchanged within the cluster. Integrity is at risk because attackers can manipulate or delete data belonging to other users and alter the cluster topology, potentially causing service disruptions or unauthorized data modifications. Availability could be affected if the cluster structure is destabilized. Organizations relying on CometD for real-time messaging in critical applications such as financial services, telecommunications, or industrial control systems may face operational disruptions and data breaches. The lack of authentication requirement and ease of exploitation increase the threat level, especially in environments where CometD services are exposed to untrusted networks or insufficiently segmented internal networks. This vulnerability could also facilitate lateral movement within compromised networks, amplifying the impact of initial breaches.

Mitigation Recommendations

1. Upgrade CometD to the fixed versions 5.0.11, 6.0.6, or 7.0.6 as soon as possible to fully remediate the vulnerability. 2. Until patching is feasible, implement a custom SecurityPolicy that explicitly forbids subscription and publishing to Oort and Seti channels from remote, non-Oort sessions to prevent unauthorized access. 3. Restrict network access to CometD services by enforcing strict firewall rules and network segmentation, limiting exposure to trusted internal hosts only. 4. Monitor CometD logs for unusual subscription or publishing activity on Oort and Seti channels, which may indicate exploitation attempts. 5. Conduct regular security assessments and penetration tests targeting CometD deployments to identify and remediate any residual authorization weaknesses. 6. Educate development and operations teams about secure configuration of CometD and the importance of timely patching for messaging infrastructure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-02-10T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9842c4522896dcbf2917

Added to database: 5/21/2025, 9:09:22 AM

Last enriched: 6/23/2025, 1:35:59 PM

Last updated: 8/12/2025, 6:49:49 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats