Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.
Problem types
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-vmgg-crr8-887p
github.com/.../capgo/security/advisories/GHSA-vmgg-crr8-887p (GitHub Security Advisory (GHSA-vmgg-crr8-887p))
www.vulncheck.com/...fest-insertion-via-read-only-org-member (VulnCheck Advisory: Capgo - Unauthorized Manifest Insertion via Read-Only Org Member)