User can read any series without permission in kareadita/kavita

Valid

Reported on

Sep 17th 2022


Description

A normal user can access any series without permission if they have access to at least one library.

Version

Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC (Digest: sha256:6e61cdadde2f80e68f1f26cdf935af5c8b3d0db6a7a5f248a4972d251d9998e9).

Details

The program uses URLs of format:

http://localhost:5000/library/<library-number>/series/<series-number>

If the user has access to library-number 1 (for example), then the user can access any series through its series-number by using URL:

http://localhost:5000/library/1/series/<series-number>

It does not matter if the referenced series is actually in the library, the software will give the user access to the series regardless.

Note that the user does need to know the series-number, but since these are always handed out sequentially starting from 1, it is not hard for a user to enumerate everything that's available on the server, and access all available series.

Video PoC

https://drive.google.com/file/d/1HlThYOsbh6YeouLrXtpg1pgY3-n3biXt/view?usp=sharing

Impact

This vulnerability is capable of letting any user who has access to at least one library gain access to all series in all libraries.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
kareadita/kavita maintainer has acknowledged this report 2 months ago
Joe Milazzo validated this vulnerability 2 months ago

This is a valid issue and has been fixed locally for v0.6.0 release.

ssepp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the kareadita/kavita team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the kareadita/kavita team. This report is now considered stale. 2 months ago
Joe Milazzo
a month ago

Maintainer


Just updating since it's been some time, this is patched but the release is taking some extra time to wrap up. This will be marked as fixed once the release is published.

Joe Milazzo marked this as fixed in 0.6.0 with commit 415b8c a month ago
Joe Milazzo has been awarded the fix bounty
This vulnerability will not receive a CVE
Joe Milazzo published this vulnerability a month ago
to join this conversation