Login Sign Up

CVE-2017-6199

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2017-6199 is an authentication bypass vulnerability in Sandstorm.io where attackers could circumvent organization restrictions by using commas in email address fields. This affects Sandstorm installations before build 0.203 that use organization restrictions. Attackers could gain unauthorized access to restricted organizational resources.

💻 Affected Systems

Products:
  • Sandstorm.io
Versions: All versions before build 0.203
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using organization restrictions feature. Sandstorm installations without organization restrictions are not vulnerable.

📦 What is this software?

Sandstorm by Sandstorm

View all CVEs affecting Sandstorm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of organizational boundaries, allowing attackers to access all restricted organizational data and functionality as if they were legitimate organization members.

🟠

Likely Case

Unauthorized access to organizational resources, potentially exposing sensitive data and functionality meant only for organization members.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass still presents significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials but bypasses organization restrictions. The vulnerability is well-documented in public security reviews.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 0.203 and later

Vendor Advisory: https://sandstorm.io/news/2017-03-02-security-review

Restart Required: Yes

Instructions:

1. Update Sandstorm to build 0.203 or later. 2. Restart Sandstorm services. 3. Verify the fix by checking version and testing organization restrictions.

🔧 Temporary Workarounds

Disable Organization Restrictions

linux

Temporarily disable organization restrictions feature until patching is possible

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Sandstorm instances
  • Enable detailed logging and monitoring for authentication attempts with unusual email formats

🔍 How to Verify

Check if Vulnerable:

Check Sandstorm version: if version is earlier than 0.203 and organization restrictions are enabled, the system is vulnerable.

Check Version:

sandstorm version

Verify Fix Applied:

After updating to 0.203+, test organization restrictions with comma-containing email addresses to ensure they are properly rejected.

📡 Detection & Monitoring

Log Indicators:

  • Authentication attempts with email addresses containing commas
  • Successful logins that bypass organization restrictions

Network Indicators:

  • Unusual authentication patterns from external sources

SIEM Query:

source="sandstorm" AND (email CONTAINS "," OR "organization bypass")

📊 Metadata

CVE ID: CVE-2017-6199
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: February 6, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-6199, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)