CVE-2021-37705: 
Python vulnerability analysis and mitigation

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. A vulnerability (CVE-2021-37705) was discovered that affects versions 2.12.0 through 2.31.0, where an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. The vulnerability only affects deployments that are both running version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option (GHSA Advisory).

The vulnerability stems from an incomplete authorization check in the authentication mechanism. When deployed with the --multi_tenant_domain option, the system failed to properly validate the bearer token's issuer against an administrator-configured allowlist. This allowed authenticated users from any Azure Active Directory tenant to bypass authorization controls and make authorized API calls to the OneFuzz instance. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) (NVD).

The vulnerability can result in unauthorized access to sensitive data including software vulnerability information, crash information, security testing tools, and proprietary code and symbols. Additionally, through authorized API calls, attackers could tamper with existing data and potentially execute unauthorized code on Azure compute resources (GHSA Advisory).

The vulnerability was fixed in release 2.31.0 through the addition of application-level checks of the bearer token's issuer against an administrator-configured allowlist. For users unable to upgrade immediately, a workaround is available by redeploying the OneFuzz instance in the default configuration, which omits the --multi_tenant_domain option (OneFuzz Release).