IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间 in cloudexplorer-dev/cloudexplorer-lite

Valid

Reported on

May 13th 2023


Proof of Concept

1 系统中存在两个组织,team1和team2 2 用户user1是 team1 的管理员, 不是team2的管理员 3 用户1在team1中创建工作空间,名为workspace1. 4 用户1使用burpsuit拦截请求,在请求中将team1的ID换成team2的ID 5 查看请求,结果显示成功,用户1可以在team2中任意创建工作空间。

复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo

Impact

我们在POC中仅用创建为例,实际上攻击者可以在一个组织内任意添加、删除、修改工作空间

We are processing your report and will contact the cloudexplorer-dev/cloudexplorer-lite team within 24 hours. 10 months ago
lujiefsi
10 months ago

Researcher


搭建系统的命令是: /bin/bash -c "$(curl -fsSL https://resource.fit2cloud.com/cloudexplorer-lite/installer/releases/latest/quick_start.sh)"

We have contacted a member of the cloudexplorer-dev/cloudexplorer-lite team and are waiting to hear back 9 months ago
9 months ago

Thank you for your feedback. We have confirmed that this vulnerability will be fixed in the next version

Can you give us a CVE number first and we will issue credits to you.

lujiefsi
9 months ago

Researcher


Hi: Maintainer

I do not have the permission to assgin a cve.

@admin from huner, could you pelase help Maintainer to obtain a CVE number?

But You can mark this report as vaild first.

lujiefsi
9 months ago

Researcher


@Maintainer But You can mark this report as vaild first.

lujiefsi
9 months ago

Researcher


@Maintainer even report is marked as vaild, but it is still not public .

9 months ago

Okay, thank you for your suggestion!

We have applied for the CVE number.

We have sent a follow up to the cloudexplorer-dev/cloudexplorer-lite team. We will try again in 4 days. 9 months ago
cloudexplorer-dev/cloudexplorer-lite maintainer validated this vulnerability 9 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie
9 months ago

Admin


A CVE will be applied during the fix & publish stage.

9 months ago

Thank you. We have fixed this vulnerability in v1.1.0 and will release it on May 23rd. After release, we will mark it as fixed

cloudexplorer-dev/cloudexplorer-lite maintainer marked this as fixed in v1.1.0 with commit d9f55a 9 months ago
The fix bounty has been dropped
This vulnerability has now been published 9 months ago
to join this conversation