IDORs with unpredictable IDs are valid vulnerabilities in metersphere/metersphere
Reported on
Mar 27th 2023
1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2
2 login as user1 and create project1.
4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid
5 we can find that project1 has a new proejct, even admin2 is not the admin of workspace2.
IDORs with unpredictable IDs are also valid vulnerabilities, see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html
Impact
we only use " add proejct" for example. You can do anything you want with other workspace.
Thank you for your feedback. We have no problems with the latest versions of v1 and v2. The vulnerability refers to the master branch. This branch has not been maintained for a long time, and this branch has been deleted.
@admin This issuse was comfirmed later and was assigned CVE-2023-32310. metersphere has not publish this CVE and can mark this issue as private again.
@admin sorry abount that the CVE number is still not assign. maintainer tell me that they will fix it in next version. admin please remark it as private first.
@admin this vulnerability has been fix by commit https://github.com/metersphere/metersphere/commit/6337d932ce85f03ac28aca65e31108b49226db45. after discussing with the maintainer , they won't assign CVE for some reason. They have pushlish and fix the vulnerability in their release 1.20.23 LTS . So we can mark it as valild and publish it now.
besides, the project should be https://github.com/metersphere/metersphere/ . I don't know why the project is changed as pimcore/customer-data-framework