Improper Access Control in Configuration (Credential store) in pandorafms/pandorafms

Valid

Reported on

Feb 20th 2022


Description

Pandora FMS v7.0NG.759 allows improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.

Proof of Concept

Affected endpoint:

POST http://$HOST/pandora_console/ajax.php

PoC image:

Operator (Write) ACL

Create a key in Operator (Write) session

View key in Operator (Write) session

Delete key in Operator (Write) session

~

Impact

This vulnerability is capable of modifying or performing a business function outside the user's limits.

We are processing your report and will contact the pandorafms team within 24 hours. 10 months ago
We have contacted a member of the pandorafms team and are waiting to hear back 9 months ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 9 months ago
pandorafms/pandorafms maintainer
9 months ago

Maintainer


As an official CNA, we have reserved the following CVE ( CVE-2022-26309 ) and this vulnerability will be fixed in version v761.

We have sent a second follow up to the pandorafms team. We will try again in 10 days. 9 months ago
We have sent a third and final follow up to the pandorafms team. This report is now considered stale. 9 months ago
to join this conversation