Improper Access Control in chocobozzz/peertube

Valid

Reported on

Dec 31st 2021


Description

Unauthenticated users can obtain the caption of private videos

Proof of Concept

1: First, create a private video and upload a caption

2: As an unauthenticated user, logout and visit the

/api/v1/videos/1/captions 

3: The response should return a lazy-static URL

{"total":1,"data":[{"language":{"id":"ase","label":"American Sign Language"},"captionPath":"/lazy-static/video-captions/62569eec-cdf5-4582-9cb0-af07d20d900c-ase.vtt"}]}

4: Visit the lazy-static URL and see you can access captions while unauthenticated.

Impact

This vulnerability is capable of disclosure of captions of private videos to unauthenticated users.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. 17 days ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back 16 days ago
We have sent a follow up to the chocobozzz/peertube team. We will try again in 7 days. 13 days ago
chocobozzz validated this vulnerability 11 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz confirmed that a fix has been merged on 795212 11 days ago
chocobozzz has been awarded the fix bounty