Back to KEVs

CVE-2022-25237

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the...

Basic Information

CVE State
PUBLISHED
Reserved Date
February 16, 2022
Published Date
May 27, 2022
Last Updated
August 03, 2024
Vendor
Bonitasoft
Product
Bonita Web
Description
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
77.96% (Percentile: 98.95%) as of 2025-07-17

Exploit Status

Exploited in the Wild
Yes (2025-07-01 00:00:00 UTC) Source

References

https://github.com/bonitasoft/bonita-web https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-02 12:00:24 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel