Improper Privilege Management in patrowl/patrowlmanager


Reported on

Dec 11th 2021


Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files

Proof of Concept

  1. Install PatrowlManager on local.
  2. Go to Finding -> Manual Import, choose a file and import finding.
  3. See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
  4. Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
  5. See that you can download the file without logging in


This vulnerability is capable of allowing unlogged in users to download all finding imports file

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago
patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago
ktg9 has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
2 years ago


Hi again ! Will fix ASAP in v1.7.7. Stay tuned ;)

patrowl/patrowlmanager maintainer marked this as fixed in 1.7.7 with commit ba276f 2 years ago
The fix bounty has been dropped
to join this conversation