CVE-2023-38335: 
Omnis Studio vulnerability analysis and mitigation

Omnis Studio 10.22.00 contains an incorrect access control vulnerability (CVE-2023-38335). The software advertises a feature for making Omnis libraries "always private" which is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks, violating the expected behavior of an "irreversible operation". The vulnerability was discovered on March 30, 2023 and publicly disclosed on July 20, 2023 (SYSS Advisory).

The vulnerability is classified as an Expected Behavior Violation (CWE-440) with a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The issue stems from insufficient implementation of access controls that allow bypassing the "always private" library protection mechanism. A proof-of-concept tool called "OmnisUnlocker" was developed to demonstrate the vulnerability by patching the Omnis Studio process to load private libraries in the browser (SYSS Advisory).

The vulnerability allows unauthorized access to Omnis libraries that were intended to be permanently private. This breaks the security model of the "always private" feature and could potentially expose sensitive information or proprietary code that was meant to be protected (SYSS Advisory).

As of the public disclosure, no solution or mitigation was available for this security issue. The manufacturer was notified on March 30, 2023, and again on April 6, 2023, but no fix had been provided (SYSS Advisory).

The vulnerability was demonstrated in a SySS Proof of Concept Video titled "Reversing the Irreversible - Part I" on their YouTube channel, showing the practical implications of the security issue (SYSS Advisory).