CVE-2023-27095: 
Java vulnerability analysis and mitigation

Insecure Permissions vulnerability was discovered in OpenGoofy Hippo4j version 1.4.3, affecting the Tenant Management module. The vulnerability was disclosed on March 15, 2023, and allows attackers to escalate privileges through the AddUser method of the UserController function (NVD, CVE).

The vulnerability exists in the ConfigVerifyController of the Tenant Management module. The issue stems from the thread pool modificationApplicationPage method not performing user identity verification, while the verifyConfigModification method in the same Controller layer does authenticate the current user. This inconsistency allows unauthorized access to sensitive endpoints (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows unauthorized users to access the '/hippo4j/v1/cs/configs/verify/query/application/page' interface to retrieve information and the '/hippo4j/v1/cs/configs/verify' interface to modify thread pool audit status. This leads to potential information disclosure and unauthorized system modifications (GitHub Issue).

Users should upgrade to a version newer than 1.4.3 to address this vulnerability (GitHub Issue).