A critical authorization bypass in OpenC3 COSMOS allows users to execute administrative actions, including accessing secrets and modifying system configurations.

The Script Runner widget allows for the execution of Python and Ruby scripts. Because containers share a network, an attacker with script execution permissions can bypass API checks to interact directly with internal services like Redis, potentially reading secrets, changing configurations, or modifying data in the buckets service.

With a CVSS score of 9.6, this vulnerability poses a severe threat to system integrity. An attacker can gain administrative-level control over the COSMOS platform, leading to the unauthorized disclosure of sensitive information and the potential for persistent backdoors within the system configuration.

Immediate Action: Upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later to enforce proper permissions checking.

Proactive Monitoring: Review script execution logs and monitor for unauthorized network connections to internal services like Redis from the script runner container.

Compensating Controls: Implement network segmentation between Docker containers to prevent unauthorized inter-container communication, ensuring that only necessary services can communicate with the database.

Public Exploit Available: No

The ability to bypass administrative controls via the script runner is a critical security failure. Organizations must prioritize the patch and consider implementing stricter network isolation between microservices to prevent similar lateral movement and privilege escalation attacks.