Login Sign Up

CVE-2022-24721

8.1 HIGH
Authentication Bypass

📋 TL;DR

CVE-2022-24721 is an authorization bypass vulnerability in CometD web messaging framework that allows any remote user to subscribe to and publish on internal Oort and Seti channels. This exposes cluster-internal traffic containing potentially sensitive user data and enables unauthorized data manipulation. All CometD deployments using affected versions are vulnerable.

💻 Affected Systems

Products:
  • CometD
Versions: All versions prior to 5.0.11, 6.0.6, and 7.0.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments using Oort or Seti channels for clustering.

📦 What is this software?

Cometd by Cometd

View all CVEs affecting Cometd →

Cometd by Cometd

View all CVEs affecting Cometd →

Cometd by Cometd

View all CVEs affecting Cometd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data from cluster traffic, modify/delete user data, and disrupt cluster operations by manipulating cluster structure.

🟠

Likely Case

Unauthorized access to internal messaging channels exposing user session data and potential data tampering.

🟢

If Mitigated

Limited to authenticated users with proper channel restrictions, maintaining normal cluster operations.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible if CometD is internet-facing.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires understanding of CometD channel structure but is straightforward once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.11, 6.0.6, or 7.0.6 depending on major version

Vendor Advisory: https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv

Restart Required: Yes

Instructions:

1. Identify current CometD version. 2. Upgrade to patched version matching major version (5.x to 5.0.11+, 6.x to 6.0.6+, 7.x to 7.0.6+). 3. Restart CometD services. 4. Verify authorization policies are enforced.

🔧 Temporary Workarounds

Custom SecurityPolicy Implementation

all

Implement custom SecurityPolicy that forbids subscription and publishing to remote, non-Oort sessions on Oort and Seti channels.

Implement SecurityPolicy interface with deny rules for Oort/Seti channels to unauthorized sessions

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to CometD cluster traffic
  • Deploy Web Application Firewall (WAF) with rules to block unauthorized channel access patterns

🔍 How to Verify

Check if Vulnerable:

Check CometD version against affected ranges: if version <5.0.11, <6.0.6, or <7.0.6, system is vulnerable.

Check Version:

Check application logs, configuration files, or use CometD API to query version.

Verify Fix Applied:

After patching, test that unauthorized users cannot subscribe to or publish on Oort and Seti channels.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized subscription attempts to Oort/Seti channels
  • Unexpected publishing activity on internal channels

Network Indicators:

  • Unusual message traffic patterns to cluster-internal channels from unauthorized sources

SIEM Query:

source="cometd" AND (channel="Oort" OR channel="Seti") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2022-24721
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-863
Published: March 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24721, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)