A high-severity vulnerability has been identified in multiple products from the vendor "users". An insecure API endpoint allows an attacker to retrieve a complete list of all system users and their corresponding secret API keys, which could lead to a full system compromise by allowing attackers to impersonate any user.

The groov View API contains an information disclosure vulnerability in its /users endpoint. An unauthenticated or low-privileged attacker can send a request to this endpoint and receive a response containing sensitive information for all registered users. This information includes usernames, associated metadata, and, most critically, their private API keys. An attacker can then use these stolen API keys to authenticate to the API as any user, inheriting their privileges and enabling unauthorized access and actions.

This vulnerability is rated as High severity with a CVSS score of 7.6. Successful exploitation could lead to a complete loss of confidentiality and integrity for the affected systems. An attacker with access to all user API keys could steal sensitive data, modify system configurations, disrupt operations, and pivot to other parts of the network. This poses a significant risk of a major data breach, reputational damage, and operational downtime.

Immediate Action: Apply vendor security updates immediately. After patching, it is critical to rotate all existing API keys, as they should be considered compromised.

Proactive Monitoring: Monitor web server and API logs for any unusual or repeated requests to the /users endpoint. Investigate any API activity originating from unexpected IP addresses or geographic locations. Set up alerts for high-volume API calls or actions performed by multiple user accounts from a single source IP, which could indicate the use of stolen keys.

Compensating Controls: If immediate patching is not possible, implement a Web Application Firewall (WAF) or reverse proxy rule to block all external access to the /users API endpoint. Restrict network access to the API to only trusted hosts until the patch can be applied.

Public Exploit Available: false

Due to the high severity (CVSS 7.6) and the critical nature of the exposed data (API keys), immediate action is required. Organizations must prioritize the deployment of the vendor-supplied security updates to remediate this vulnerability. Furthermore, as a critical precautionary measure, all API keys on affected systems should be invalidated and re-issued immediately, as it is impossible to determine if they were exposed prior to patching.