CVE-2023-51663

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Dec 29, 2023
Updated: Jan 5, 2024
CWE ID 289

Summary

CVE-2023-51663 is a vulnerability affecting Hail, an open-source data analysis tool used for working with genomic data. The issue lies in Hail's reliance on OpenID Connect (OIDC) email addresses for domain verification in user accounts. Since users can modify their email addresses, they could potentially create accounts in clusters belonging to organizations they shouldn't have access to. For instance, a user could create a Microsoft or Google account and subsequently change the email to `[email protected]`. This account would then be able to create Hail Batch accounts within clusters with the domain `example.org`. Although the attacker cannot access private data or impersonate users, they can run jobs if Hail Batch billing projects are enabled and potentially create Azure Tenants if they possess Azure Active Directory Administrator access.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share