Improper Privilege Management in patrowl/patrowlmanager


Reported on

Dec 11th 2021


Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files

Proof of Concept

  1. Install PatrowlManager on local.
  2. Go to Finding -> Manual Import, choose a file and import finding.
  3. See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
  4. Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
  5. See that you can download the file without logging in


This vulnerability is capable of allowing unlogged in users to download all finding imports file

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. a year ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back a year ago
patrowl/patrowlmanager maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
a year ago


Hi again ! Will fix ASAP in v1.7.7. Stay tuned ;)

patrowl/patrowlmanager maintainer marked this as fixed in 1.7.7 with commit ba276f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation