Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager

Valid

Reported on

Dec 10th 2021

Description

Hi there, there is a CSRF in duplicating rule due to the usage of GET method.

Install a local instance of PatrowlManager
Go to list rule and create a new rule
Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is duplicated

This vulnerability is capable of duplicating rules

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago

We have sent a follow up to the patrowl/patrowlmanager team. We will try again in 7 days. 2 years ago

A patrowl/patrowlmanager maintainer

commented 2 years ago

Maintainer

Hi there, vulnerability confirmed but I suggest to review the CVSS score to 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

A patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago

ComradeKtg has been awarded the disclosure bounty

The fix bounty is now up for grabs

A patrowl/patrowlmanager maintainer marked this as fixed in 1.7.8 with commit 58f373 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation