CVE-2022-31022 – Missing Role Based Access Control for the REST handlers in bleve/http package

https://notcve.org/view.php?id=CVE-2022-31022

01 Jun 2022 — Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) ... • https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •