InvenTree Deploys a Weak Password Change Mechanism in inventree/inventree

Valid

Reported on

Jun 16th 2022


Description

When setting a new user password, InvenTree does not require knowledge of the original password or using another form of authentication.

Proof of Concept

1. Log in as a regular user 
2. Go to the account settings link
3. Select Set Password
4. Enter any 8-character password string (this form is not constrained by the common passwords blocked in initial user creation).

Impact

If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.

We are processing your report and will contact the inventree team within 24 hours. 9 days ago
Joe Helle
9 days ago

Researcher


If/when accepted can we please assign this a CVE?

inventree/inventree maintainer has acknowledged this report 9 days ago
Matthias Mair validated this vulnerability 9 days ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matthias Mair confirmed that a fix has been merged on b9c9f5 9 days ago
Matthias Mair has been awarded the fix bounty
Matthias Mair
9 days ago

The fix is targeted for 0.8.0 - which is yet to be released. We discussed the severity in the team and do not think a CVE is warranted.

Joe Helle
9 days ago

Researcher


Understood. No worries on my end.

to join this conversation