A high-severity vulnerability has been identified in multiple products from Improper, specifically within the API authentication middleware of HCL DevOps Loop. This flaw allows an attacker to bypass authentication controls using invalid access tokens, potentially leading to unauthorized access to sensitive systems and data. Immediate patching is critical to prevent the compromise of DevOps environments and associated intellectual property.

The vulnerability exists within the API authentication middleware of HCL DevOps Loop. The middleware fails to properly validate critical security attributes of authentication tokens, specifically their expiration timestamp and cryptographic signature. An attacker who has obtained an expired token, or is able to forge a token, can submit it to a vulnerable API endpoint. Because the signature and expiration are not checked, the system will incorrectly grant the attacker access, allowing them to perform unauthorized actions with the privileges of the user associated with the token.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could grant an attacker unauthorized access to critical DevOps pipelines and infrastructure. The potential consequences include theft of source code and intellectual property, injection of malicious code into the software supply chain, disruption of build and deployment processes, and unauthorized access to production environments. This poses a significant risk of financial loss, reputational damage, and operational downtime for the organization.

Immediate Action: Apply the security updates provided by the vendor across all affected products immediately. After patching, review API access logs for any anomalous or unauthorized activity that may have occurred prior to remediation, paying close attention to authentication patterns.

Proactive Monitoring: Implement enhanced logging and monitoring for API endpoints. Security teams should monitor for repeated authentication attempts with the same token, API requests originating from unusual IP addresses, and any logs indicating authentication success with tokens that should be expired or invalid. Configure alerts for a high volume of authentication failures or successes that deviate from established baselines.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to the affected API endpoints, allowing connections only from trusted internal IP ranges.
• Place a Web Application Firewall (WAF) in front of the application to inspect and block requests containing malformed or suspicious authentication tokens.
• Enforce strict session timeout policies on the application front-end to limit the window of opportunity for token reuse.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical role of the affected software in DevOps environments, this vulnerability requires immediate attention. Although not currently listed on the CISA KEV list, the potential for supply chain compromise and data exfiltration is severe. We strongly recommend that the vendor-supplied patches be applied on an emergency basis. Until patching is complete, organizations must implement the recommended compensating controls and proactive monitoring to detect and block potential exploitation attempts.