This document outlines a critical security vulnerability found in the Ellucian Banner System, particularly in version 9.17 and earlier versions. The vulnerability has been identified in systems used by various universities in Saudi Arabia, potentially exposing sensitive student data.
- Type: Insecure Direct Object Reference (IDOR)
- Endpoint Affected:
/StudentSelfService/ssb/studentCard/retrieveData
- Parameter in Question:
bannerId
- Impact: Unauthorized exposure of sensitive student data, including personal identifiers, academic records, and contact information.
- Log in to the Banner system using legitimate user credentials.
- Navigate to the URL endpoint that retrieves student card information.
- Modify the
bannerId
parameter in the URL to a different student's identifier. - Observe that the system displays information for the altered
bannerId
, bypassing necessary authorization checks.
The vulnerability impacts the Ellucian Banner System, version 9.17 and earlier. It is crucial for institutions using these versions to take immediate action to mitigate the risks.
- Immediate Patching: Ellucian should urgently develop and release a security patch for the affected versions.
- Enhanced Authorization Checks: Implement strict authorization checks on the affected endpoint.
- System Audit: Conduct a thorough audit to identify and fix similar vulnerabilities.
- Regular Updates and Training: Establish protocols for regular system updates and user training on security best practices.
- Ongoing Monitoring: Continuously monitor the system for signs of unauthorized access or exploitation attempts.
This vulnerability has been registered with the CVE ID: CVE-2023-49339. Further details and updates regarding the vulnerability will be provided as they become available.
Abdulaziz Naif Almadhi