Improper Privilege Management in rhizome-conifer/conifer

Valid

Reported on

Dec 23rd 2021


Description

Hi there, I would like to report an improper privilege escalation in conifer. Any user can view all recordings of other users.

Proof of Concept

  1. Go to https://conifer.rhizome.org/ and register 2 accounts, let's call it user1 and user2
  2. Use user1 and create a collection, let's name this collection1
  3. Login as user2 and go to this link https://conifer.rhizome.org/api/v1/recordings?user=<user1>&coll=collection1
  4. See that you can view all recordings of user1.

Impact

This vulnerability is capable of viewing all users recordings.

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. 5 months ago
We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back 5 months ago
We have sent a follow up to the rhizome-conifer/conifer team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the rhizome-conifer/conifer team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the rhizome-conifer/conifer team. This report is now considered stale. 4 months ago
rhizome-conifer/conifer maintainer validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
rhizome-conifer/conifer maintainer confirmed that a fix has been merged on 955948 4 months ago
The fix bounty has been dropped
to join this conversation