Micro Services, Major Headaches: Detecting Vulnerabilities in Erxes' Microservices

In this article, a developer explains how they used SonarCloud to triage and identify vulnerabilities in an open-source project called Erxes. They discovered two intentionality issues that impacted the security of the software. The first issue was a path traversal vulnerability where user input was not correctly sanitized or escaped, allowing attackers to read arbitrary files on the file system. The second issue was an authentication bypass vulnerability where any user could become an admin on an Erxes instance just by sending a special header. These vulnerabilities were fixed in subsequent updates of the software. The author emphasizes the importance of using tools like SonarCloud and securing communication between microservices to prevent security vulnerabilities from reaching production environments.