IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间 in cloudexplorer-dev/cloudexplorer-lite

Valid

Reported on

May 13th 2023

Proof of Concept

1 系统中存在两个组织，team1和team2 2 用户user1是 team1 的管理员，不是team2的管理员 3 用户1在team1中创建工作空间，名为workspace1. 4 用户1使用burpsuit拦截请求，在请求中将team1的ID换成team2的ID 5 查看请求，结果显示成功，用户1可以在team2中任意创建工作空间。

复现视频：https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo

Impact

我们在POC中仅用创建为例，实际上攻击者可以在一个组织内任意添加、删除、修改工作空间

We are processing your report and will contact the cloudexplorer-dev/cloudexplorer-lite team within 24 hours. 12 days ago

lujiefsi

commented 12 days ago

Researcher

搭建系统的命令是： /bin/bash -c "$(curl -fsSL https://resource.fit2cloud.com/cloudexplorer-lite/installer/releases/latest/quick_start.sh)"

We have contacted a member of the cloudexplorer-dev/cloudexplorer-lite team and are waiting to hear back 10 days ago

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 10 days ago

Maintainer

Thank you for your feedback. We have confirmed that this vulnerability will be fixed in the next version

Can you give us a CVE number first and we will issue credits to you.

lujiefsi

commented 10 days ago

Researcher

Hi： Maintainer

I do not have the permission to assgin a cve.

@admin from huner, could you pelase help Maintainer to obtain a CVE number?

But You can mark this report as vaild first.

lujiefsi

commented 10 days ago

Researcher

@Maintainer But You can mark this report as vaild first.

lujiefsi

commented 10 days ago

Researcher

@Maintainer even report is marked as vaild, but it is still not public .

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 10 days ago

Maintainer

Okay, thank you for your suggestion!

We have applied for the CVE number.

We have sent a follow up to the cloudexplorer-dev/cloudexplorer-lite team. We will try again in 7 days. 3 days ago

A cloudexplorer-dev/cloudexplorer-lite maintainer validated this vulnerability 3 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Ben Harvie

commented 3 days ago

Admin

A CVE will be applied during the fix & publish stage.

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 3 days ago

Maintainer

Thank you. We have fixed this vulnerability in v1.1.0 and will release it on May 23rd. After release, we will mark it as fixed

A cloudexplorer-dev/cloudexplorer-lite maintainer marked this as fixed in v1.1.0 with commit d9f55a 3 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A cloudexplorer-dev/cloudexplorer-lite maintainer published this vulnerability 3 days ago

to join this conversation

We are processing your report and will contact the cloudexplorer-dev/cloudexplorer-lite team within 24 hours. 12 days ago

lujiefsi

commented 12 days ago

Researcher

搭建系统的命令是： /bin/bash -c "$(curl -fsSL https://resource.fit2cloud.com/cloudexplorer-lite/installer/releases/latest/quick_start.sh)"

We have contacted a member of the cloudexplorer-dev/cloudexplorer-lite team and are waiting to hear back 10 days ago

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 10 days ago

Maintainer

Thank you for your feedback. We have confirmed that this vulnerability will be fixed in the next version

Can you give us a CVE number first and we will issue credits to you.

lujiefsi

commented 10 days ago

Researcher

Hi： Maintainer

I do not have the permission to assgin a cve.

@admin from huner, could you pelase help Maintainer to obtain a CVE number?

But You can mark this report as vaild first.

lujiefsi

commented 10 days ago

Researcher

@Maintainer But You can mark this report as vaild first.

lujiefsi

commented 10 days ago

Researcher

@Maintainer even report is marked as vaild, but it is still not public .

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 10 days ago

Maintainer

Okay, thank you for your suggestion!

We have applied for the CVE number.

We have sent a follow up to the cloudexplorer-dev/cloudexplorer-lite team. We will try again in 7 days. 3 days ago

A cloudexplorer-dev/cloudexplorer-lite maintainer validated this vulnerability 3 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Ben Harvie

commented 3 days ago

Admin

A CVE will be applied during the fix & publish stage.

A cloudexplorer-dev/cloudexplorer-lite maintainer

commented 3 days ago

Maintainer

Thank you. We have fixed this vulnerability in v1.1.0 and will release it on May 23rd. After release, we will mark it as fixed

A cloudexplorer-dev/cloudexplorer-lite maintainer marked this as fixed in v1.1.0 with commit d9f55a 3 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A cloudexplorer-dev/cloudexplorer-lite maintainer published this vulnerability 3 days ago

to join this conversation