Improper Privilege Management in rhizome-conifer/conifer

Valid

Reported on

Dec 23rd 2021

Description

Hi there, I would like to report an improper privilege escalation in conifer. Any user can view all recordings of other users.

Go to https://conifer.rhizome.org/ and register 2 accounts, let's call it user1 and user2
Use user1 and create a collection, let's name this collection1
Login as user2 and go to this link https://conifer.rhizome.org/api/v1/recordings?user=<user1>&coll=collection1
See that you can view all recordings of user1.

This vulnerability is capable of viewing all users recordings.

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back 2 years ago

We have sent a follow up to the rhizome-conifer/conifer team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the rhizome-conifer/conifer team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the rhizome-conifer/conifer team. This report is now considered stale. 2 years ago

A rhizome-conifer/conifer maintainer validated this vulnerability 2 years ago

ComradeKtg has been awarded the disclosure bounty

The fix bounty is now up for grabs

A rhizome-conifer/conifer maintainer marked this as fixed in 1 with commit 955948 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation