CVE-2021-38147: 
NixOS vulnerability analysis and mitigation

Wipro Holmes Orchestrator 20.4.1 (20.4.10211_2020) contains an authentication bypass vulnerability that allows remote attackers to download arbitrary files, including sensitive reports, due to missing authentication requirements for API access. The vulnerability specifically affects API endpoints related to downloading various report types including Domain Credential, User, Process, Infrastructure, and Resolver reports (PacketStorm, NVD).

The vulnerability exists in the API endpoints that handle report downloads, specifically in paths like processexecution/DownloadExcelFile/DomainCredentialReport_Excel and similar report endpoints. The core issue is the complete absence of authentication checks when accessing these API endpoints, allowing unauthenticated attackers to directly download sensitive reports. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high impact on confidentiality (NVD).

The vulnerability allows unauthorized access to sensitive information contained in various system reports. Attackers can download Domain Credential Reports, User Reports, Process Reports, Infrastructure Reports, and Resolver Reports without authentication, potentially exposing critical system and user information (NVD).

No official patches or mitigations have been publicly disclosed by Wipro at the time of this report. Organizations using affected versions of Wipro Holmes Orchestrator should implement network-level access controls to restrict access to the vulnerable API endpoints and monitor for unauthorized access attempts (Wipro).