CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3213 vulnerabilities reference this CWE, most recent first.
GHSA-5FWQ-2HQV-G62H
Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2023-12-29 18:30Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0.
{
"affected": [],
"aliases": [
"CVE-2023-46646"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T21:15:08Z",
"severity": "MODERATE"
},
"details": "Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the \"Get a check run\" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name.\u00a0This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0.",
"id": "GHSA-5fwq-2hqv-g62h",
"modified": "2023-12-29T18:30:29Z",
"published": "2023-12-21T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46646"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5G65-RMXF-RGJ6
Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.
{
"affected": [],
"aliases": [
"CVE-2026-60104"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T20:17:00Z",
"severity": "HIGH"
},
"details": "Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user\u0027s vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim\u0027s vault key and account takeover.",
"id": "GHSA-5g65-rmxf-rgj6",
"modified": "2026-07-08T21:30:30Z",
"published": "2026-07-08T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60104"
},
{
"type": "WEB",
"url": "https://github.com/bitwarden/server/pull/7615"
},
{
"type": "WEB",
"url": "https://github.com/bitwarden/server/commit/dcf4c486b2b5bedecc03a48b427243328cc74a9a"
},
{
"type": "WEB",
"url": "https://github.com/bitwarden/server/releases#release-v2026.6.0"
},
{
"type": "WEB",
"url": "https://sanjokkarki.com.np/blog/bitwarden-vault-key-heist"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bitwarden-server-authorization-bypass-via-admin-auth-request"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5GC6-XHV4-2WG6
Vulnerability from github – Published: 2026-05-14 20:25 – Updated: 2026-05-15 23:54Summary
Pin/Unpin is a write operation (modifies the message's is_pinned, pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message.
Details
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L1218
@router.post('/{id}/messages/{message_id}/pin', response_model=Optional[MessageUserResponse])
async def pin_channel_message(
request: Request,
id: str,
message_id: str,
form_data: PinMessageForm,
user=Depends(get_verified_user),
db: Session = Depends(get_session),
):
check_channels_access(request)
channel = Channels.get_channel_by_id(id, db=db)
if not channel:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND)
if channel.type in ['group', 'dm']:
if not Channels.is_user_channel_member(channel.id, user.id, db=db):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
else:
if user.role != 'admin' and not channel_has_access(user.id, channel, permission='read', db=db):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
The channel_has_access function https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L75 checks user permissions against the AccessGrants table:
def channel_has_access(
user_id: str,
channel: ChannelModel,
permission: str = 'read', # 'read' or 'write'
strict: bool = True,
db: Optional[Session] = None,
) -> bool:
if AccessGrants.has_access(
user_id=user_id,
resource_type='channel',
resource_id=channel.id,
permission=permission,
db=db,
):
return True
# ...
The AccessGrant table distinguishes between read and write permission levels.
PoC
admin creates Standard Channel with Read-Only Access for test1 :
POST /api/v1/channels/create
Authorization:
Content-Type: application/json
{
"name": "pin-test-standard",
"access_grants": [
{
"principal_type": "user",
"principal_id": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
"permission": "read"
}
]
}
admin posts a Message in the Channel, and test1 has read permission only.
test1 attempts to Pin Message:
POST /api/v1/channels/0699b656-578f-4976-94b0-65e2b19752fd/messages/4797359b-aad5-4081-9617-e8ca58524a87/pin
Authorization: Bearer <test1_token>
Content-Type: application/json
{
"is_pinned": true
}
{
"id": "4797359b-aad5-4081-9617-e8ca58524a87",
"user_id": "28c859b7-84e2-4217-b4d7-3f0e43f7c4b9",
"is_pinned": true,
"pinned_by": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
"pinned_at": 1774716314908288719,
"content": "Admin announcement in standard channel - test1 should NOT be able to pin this"
}
Successfully pinned admin's message. pinned_by records test1's user ID.
test1 (Read-Only) can alse Unpin Message. The Pin/Unpin endpoint in standard channels only checks read permission, allowing read-only users to pin/unpin any message.
Impact
Read-only users can pin irrelevant messages, disrupting important information display in the channel .
Recommended Fix
Change the Pin endpoint's permission check from read to write .
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.4"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45386"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:25:58Z",
"nvd_published_at": "2026-05-15T21:16:37Z",
"severity": "MODERATE"
},
"details": "### Summary\n`Pin/Unpin` is a write operation (modifies the message\u0027s `is_pinned `, `pinned_by`, `pinned_at` fields), but in standard channels it only checks `read` permission, allowing users with read-only access to pin/unpin any message.\n\n### Details\nhttps://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L1218\n\n```\n@router.post(\u0027/{id}/messages/{message_id}/pin\u0027, response_model=Optional[MessageUserResponse])\nasync def pin_channel_message(\n request: Request,\n id: str,\n message_id: str,\n form_data: PinMessageForm,\n user=Depends(get_verified_user),\n db: Session = Depends(get_session),\n):\n check_channels_access(request)\n channel = Channels.get_channel_by_id(id, db=db)\n if not channel:\n raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND)\n\n if channel.type in [\u0027group\u0027, \u0027dm\u0027]:\n if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\n else:\n if user.role != \u0027admin\u0027 and not channel_has_access(user.id, channel, permission=\u0027read\u0027, db=db):\n raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\n```\n\nThe `channel_has_access` function https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L75 checks user permissions against the `AccessGrants` table:\n\n```\ndef channel_has_access(\n user_id: str,\n channel: ChannelModel,\n permission: str = \u0027read\u0027, # \u0027read\u0027 or \u0027write\u0027\n strict: bool = True,\n db: Optional[Session] = None,\n) -\u003e bool:\n if AccessGrants.has_access(\n user_id=user_id,\n resource_type=\u0027channel\u0027,\n resource_id=channel.id,\n permission=permission,\n db=db,\n ):\n return True\n # ...\n```\n\nThe `AccessGrant` table distinguishes between `read` and `write` permission levels.\n\n### PoC\n`admin` creates Standard Channel with Read-Only Access for `test1` :\n\n```\nPOST /api/v1/channels/create\nAuthorization: \nContent-Type: application/json\n\n{\n \"name\": \"pin-test-standard\",\n \"access_grants\": [\n {\n \"principal_type\": \"user\",\n \"principal_id\": \"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c\",\n \"permission\": \"read\"\n }\n ]\n}\n```\n\n`admin` posts a Message in the Channel, and `test1` has `read` permission only.\n\u003cimg width=\"1024\" height=\"423\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e9912bd7-3908-44f2-8984-22d0535dc66f\" /\u003e\n\n`test1` attempts to Pin Message:\n\n```\nPOST /api/v1/channels/0699b656-578f-4976-94b0-65e2b19752fd/messages/4797359b-aad5-4081-9617-e8ca58524a87/pin\nAuthorization: Bearer \u003ctest1_token\u003e\nContent-Type: application/json\n\n{\n \"is_pinned\": true\n}\n```\n\n```\n{\n \"id\": \"4797359b-aad5-4081-9617-e8ca58524a87\",\n \"user_id\": \"28c859b7-84e2-4217-b4d7-3f0e43f7c4b9\",\n \"is_pinned\": true,\n \"pinned_by\": \"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c\",\n \"pinned_at\": 1774716314908288719,\n \"content\": \"Admin announcement in standard channel - test1 should NOT be able to pin this\"\n}\n```\n\nSuccessfully pinned admin\u0027s message. `pinned_by` records test1\u0027s user ID.\n\u003cimg width=\"1024\" height=\"350\" alt=\"image\" src=\"https://github.com/user-attachments/assets/705b1f45-95a9-4e91-8a74-10bdbccde0b8\" /\u003e\n\n `test1` (Read-Only) can alse Unpin Message. The Pin/Unpin endpoint in standard channels only checks `read` permission, allowing read-only users to pin/unpin any message.\n\n### Impact\nRead-only users can pin irrelevant messages, disrupting important information display in the channel .\n\n### Recommended Fix\nChange the Pin endpoint\u0027s permission check from `read` to `write` .",
"id": "GHSA-5gc6-xhv4-2wg6",
"modified": "2026-05-15T23:54:18Z",
"published": "2026-05-14T20:25:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-5gc6-xhv4-2wg6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45386"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint"
}
GHSA-5H4F-JC9Q-52MX
Vulnerability from github – Published: 2025-08-20 09:30 – Updated: 2026-04-01 18:35Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Maya Business: from n/a through 1.2.0.
{
"affected": [],
"aliases": [
"CVE-2025-53208"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T08:15:40Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Maya Business: from n/a through 1.2.0.",
"id": "GHSA-5h4f-jc9q-52mx",
"modified": "2026-04-01T18:35:55Z",
"published": "2025-08-20T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53208"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/paymaya-checkout-for-woocommerce/vulnerability/wordpress-maya-business-1-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HF2-VHJ6-GJ9M
Vulnerability from github – Published: 2026-03-30 16:41 – Updated: 2026-03-30 21:26Summary
Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.
Severity
High - CVSS 3.1 Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Note: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.
Product
nginx-ui
Affected Versions
All versions up to and including v2.3.3
CWE
CWE-639: Authorization Bypass Through User-Controlled Key
Description
Exposed DNS Provider Credentials
The dns.Config structure (internal/cert/dns/config_env.go) contains API credentials:
type Configuration struct {
Credentials map[string]string `json:"credentials"` // API tokens here
Additional map[string]string `json:"additional"`
}
| Provider | Credential Fields | Impact if Leaked |
|---|---|---|
| Cloudflare | CF_API_TOKEN |
Full DNS zone control |
| Alibaba Cloud DNS | ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY |
Full DNS control + potential IAM access |
| Tencent Cloud DNS | TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY |
Full DNS control |
| AWS Route53 | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
Route53 + potential AWS access |
| GoDaddy | GODADDY_API_KEY, GODADDY_API_SECRET |
DNS record modification |
Combined Attack: IDOR + Plaintext Storage
When the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users' resources:
Attack Chain:
┌─────────────────────────────────────────────────────────────────┐
│ 1. Attacker authenticates with low-privilege account │
│ 2. Uses IDOR to enumerate: /api/dns_credentials/1,2,3... │
│ 3. Reads plaintext API tokens directly from HTTP response │
│ 4. No decryption needed - tokens stored in cleartext │
│ 5. Uses stolen tokens to: │
│ - Modify DNS records (domain hijacking) │
│ - Issue fraudulent SSL certificates │
│ - Pivot to cloud infrastructure │
└─────────────────────────────────────────────────────────────────┘
PoC: Extracting Plaintext Credentials via IDOR
# Attacker with low-privilege token accessing admin's DNS credential
curl -H "Authorization: $ATTACKER_TOKEN" \
https://nginx-ui.example.com/api/dns_credentials/1
# Response contains PLAINTEXT API token (no decryption required):
{
"id": 1,
"name": "Production Cloudflare",
"provider": "cloudflare",
"config": {
"credentials": {
"CF_API_TOKEN": "yhyQ7xR...plaintext_token_visible..."
}
}
}
Updated CVSS Score with Plaintext Storage
The plaintext storage increases the confidentiality impact:
CVSS 3.1 Score: 8.8 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Scope Changed (S:C): Impact extends to external services (DNS providers, cloud platforms)
- High Confidentiality (C:H): Plaintext API tokens immediately usable
- High Integrity (I:H): DNS records, certificates can be modified
- High Availability (A:H): Services can be disrupted via DNS/certificate manipulation
Attack Scenario: Certificate Hijacking
1. Attacker creates low-privilege account on nginx-ui
2. Uses IDOR to enumerate all DNS credentials: /api/dns_credentials/1,2,3...
3. Steals Cloudflare API token from admin's credential
4. Uses token to:
- Modify DNS records
- Issue fraudulent Let's Encrypt certificates
- Intercept traffic to victim domains
Credit
Discovered by security researcher during authorized security audit.
Recommendation
Immediate Mitigation
- Add User Ownership to Models
// model/model.go
type Model struct {
ID uint64 `gorm:"primary_key" json:"id"`
UserID uint64 `gorm:"index" json:"user_id"` // Add this field
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
DeletedAt *gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
}
- Filter Queries by Current User
// api/certificate/dns_credential.go
func GetDnsCredential(c *gin.Context) {
id := cast.ToUint64(c.Param("id"))
currentUser := c.MustGet("user").(*model.User)
d := query.DnsCredential
dnsCredential, err := d.Where(
d.ID.Eq(id),
d.UserID.Eq(currentUser.ID), // Add user filter
).First()
if err != nil {
cosy.ErrHandler(c, err)
return
}
// ...
}
- Add Authorization Middleware
// middleware/authorization.go
func RequireOwnership(resourceType string) gin.HandlerFunc {
return func(c *gin.Context) {
currentUser := c.MustGet("user").(*model.User)
resourceID := cast.ToUint64(c.Param("id"))
// Check if resource belongs to current user
ownerID, err := getResourceOwner(resourceType, resourceID)
if err != nil || ownerID != currentUser.ID {
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
"message": "Access denied",
})
return
}
c.Next()
}
}
Database Migration
-- Add user_id column to all resource tables
ALTER TABLE dns_credentials ADD COLUMN user_id BIGINT;
ALTER TABLE certs ADD COLUMN user_id BIGINT;
ALTER TABLE acme_users ADD COLUMN user_id BIGINT;
ALTER TABLE sites ADD COLUMN user_id BIGINT;
ALTER TABLE streams ADD COLUMN user_id BIGINT;
ALTER TABLE configs ADD COLUMN user_id BIGINT;
-- Set default owner for existing resources
UPDATE dns_credentials SET user_id = 1 WHERE user_id IS NULL;
UPDATE certs SET user_id = 1 WHERE user_id IS NULL;
-- Add foreign key constraint
ALTER TABLE dns_credentials ADD CONSTRAINT fk_dns_credentials_user
FOREIGN KEY (user_id) REFERENCES users(id);
Long-term Improvements
- Implement role-based access control (RBAC)
- Add audit logging for resource access
- Implement resource sharing functionality with explicit permissions
- Add integration tests for authorization checks
Remediation for Plaintext Storage
Immediate Fix: Encrypt Sensitive Fields
Apply the same serializer:json[aes] pattern used for S3 credentials to DNS and ACME data:
model/dns_credential.go:
type DnsCredential struct {
Model
Name string `json:"name"`
Config *dns.Config `json:"config,omitempty" gorm:"serializer:json[aes]"` // Add AES encryption
Provider string `json:"provider"`
ProviderCode string `json:"provider_code" gorm:"index"`
}
model/acme_user.go:
type AcmeUser struct {
Model
// ...
Key PrivateKey `json:"-" gorm:"serializer:json[aes]"` // Add AES encryption
// ...
}
Data Migration
Existing plaintext data must be re-saved to trigger encryption:
func MigrateSensitiveData() error {
// Migrate DNS credentials
var dnsCreds []model.DnsCredential
query.DnsCredential.Find(&dnsCreds)
for _, cred := range dnsCreds {
query.DnsCredential.Save(&cred) // Re-save triggers AES encryption
}
// Migrate ACME users
var acmeUsers []model.AcmeUser
query.AcmeUser.Find(&acmeUsers)
for _, user := range acmeUsers {
query.AcmeUser.Save(&user)
}
return nil
}
Summary of Required Changes
| File | Line | Current | Fix |
|---|---|---|---|
model/dns_credential.go |
7 | serializer:json |
serializer:json[aes] |
model/acme_user.go |
Key field | serializer:json |
serializer:json[aes] |
References
- CWE-639: Authorization Bypass Through User-Controlled Key
- OWASP IDOR Prevention Cheat Sheet
- PortSwigger: IDOR Vulnerabilities
Disclosure Timeline
- 2026-03-13: Vulnerability discovered through source code audit
- 2026-03-13: Vulnerability successfully reproduced in local Docker environment
- 2026-03-13: All IDOR operations verified: READ, MODIFY, DELETE
- 2026-03-13: Security advisory prepared
- [Pending]: Report submitted to nginx-ui maintainers
- [Pending]: CVE ID requested
- [Pending]: Patch developed and tested
- [Pending]: Public disclosure (21-90 days after vendor notification)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/nginx-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.99"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33030"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T16:41:07Z",
"nvd_published_at": "2026-03-30T18:16:19Z",
"severity": "HIGH"
},
"details": "## Summary\n\nNginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.\n\n## Severity\n\n**High** - CVSS 3.1 Score: **8.8 (High)**\n\nVector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n**Note**: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.\n\n## Product\n\nnginx-ui\n\n## Affected Versions\n\nAll versions up to and including v2.3.3\n\n## CWE\n\nCWE-639: Authorization Bypass Through User-Controlled Key\n\n## Description\n\n### Exposed DNS Provider Credentials\n\nThe `dns.Config` structure (`internal/cert/dns/config_env.go`) contains API credentials:\n\n```go\ntype Configuration struct {\n Credentials map[string]string `json:\"credentials\"` // API tokens here\n Additional map[string]string `json:\"additional\"`\n}\n```\n\n| Provider | Credential Fields | Impact if Leaked |\n|----------|------------------|------------------|\n| Cloudflare | `CF_API_TOKEN` | Full DNS zone control |\n| Alibaba Cloud DNS | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY` | Full DNS control + potential IAM access |\n| Tencent Cloud DNS | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | Full DNS control |\n| AWS Route53 | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` | Route53 + potential AWS access |\n| GoDaddy | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | DNS record modification |\n\n### Combined Attack: IDOR + Plaintext Storage\n\nWhen the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users\u0027 resources:\n\n```\nAttack Chain:\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 1. Attacker authenticates with low-privilege account \u2502\n\u2502 2. Uses IDOR to enumerate: /api/dns_credentials/1,2,3... \u2502\n\u2502 3. Reads plaintext API tokens directly from HTTP response \u2502\n\u2502 4. No decryption needed - tokens stored in cleartext \u2502\n\u2502 5. Uses stolen tokens to: \u2502\n\u2502 - Modify DNS records (domain hijacking) \u2502\n\u2502 - Issue fraudulent SSL certificates \u2502\n\u2502 - Pivot to cloud infrastructure \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n### PoC: Extracting Plaintext Credentials via IDOR\n\n```bash\n# Attacker with low-privilege token accessing admin\u0027s DNS credential\ncurl -H \"Authorization: $ATTACKER_TOKEN\" \\\n https://nginx-ui.example.com/api/dns_credentials/1\n\n# Response contains PLAINTEXT API token (no decryption required):\n{\n \"id\": 1,\n \"name\": \"Production Cloudflare\",\n \"provider\": \"cloudflare\",\n \"config\": {\n \"credentials\": {\n \"CF_API_TOKEN\": \"yhyQ7xR...plaintext_token_visible...\"\n }\n }\n}\n```\n\n### Updated CVSS Score with Plaintext Storage\n\nThe plaintext storage increases the confidentiality impact:\n\n**CVSS 3.1 Score: 8.8 (High)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n- **Scope Changed (S:C)**: Impact extends to external services (DNS providers, cloud platforms)\n- **High Confidentiality (C:H)**: Plaintext API tokens immediately usable\n- **High Integrity (I:H)**: DNS records, certificates can be modified\n- **High Availability (A:H)**: Services can be disrupted via DNS/certificate manipulation\n\n---\n\n### Attack Scenario: Certificate Hijacking\n\n```\n1. Attacker creates low-privilege account on nginx-ui\n2. Uses IDOR to enumerate all DNS credentials: /api/dns_credentials/1,2,3...\n3. Steals Cloudflare API token from admin\u0027s credential\n4. Uses token to:\n - Modify DNS records\n - Issue fraudulent Let\u0027s Encrypt certificates\n - Intercept traffic to victim domains\n```\n\n## Credit\n\nDiscovered by security researcher during authorized security audit.\n\n## Recommendation\n\n### Immediate Mitigation\n\n1. **Add User Ownership to Models**\n\n```go\n// model/model.go\ntype Model struct {\n ID uint64 `gorm:\"primary_key\" json:\"id\"`\n UserID uint64 `gorm:\"index\" json:\"user_id\"` // Add this field\n CreatedAt time.Time `json:\"created_at\"`\n UpdatedAt time.Time `json:\"updated_at\"`\n DeletedAt *gorm.DeletedAt `gorm:\"index\" json:\"deleted_at,omitempty\"`\n}\n```\n\n2. **Filter Queries by Current User**\n\n```go\n// api/certificate/dns_credential.go\nfunc GetDnsCredential(c *gin.Context) {\n id := cast.ToUint64(c.Param(\"id\"))\n currentUser := c.MustGet(\"user\").(*model.User)\n\n d := query.DnsCredential\n dnsCredential, err := d.Where(\n d.ID.Eq(id),\n d.UserID.Eq(currentUser.ID), // Add user filter\n ).First()\n\n if err != nil {\n cosy.ErrHandler(c, err)\n return\n }\n // ...\n}\n```\n\n3. **Add Authorization Middleware**\n\n```go\n// middleware/authorization.go\nfunc RequireOwnership(resourceType string) gin.HandlerFunc {\n return func(c *gin.Context) {\n currentUser := c.MustGet(\"user\").(*model.User)\n resourceID := cast.ToUint64(c.Param(\"id\"))\n\n // Check if resource belongs to current user\n ownerID, err := getResourceOwner(resourceType, resourceID)\n if err != nil || ownerID != currentUser.ID {\n c.AbortWithStatusJSON(http.StatusForbidden, gin.H{\n \"message\": \"Access denied\",\n })\n return\n }\n c.Next()\n }\n}\n```\n\n### Database Migration\n\n```sql\n-- Add user_id column to all resource tables\nALTER TABLE dns_credentials ADD COLUMN user_id BIGINT;\nALTER TABLE certs ADD COLUMN user_id BIGINT;\nALTER TABLE acme_users ADD COLUMN user_id BIGINT;\nALTER TABLE sites ADD COLUMN user_id BIGINT;\nALTER TABLE streams ADD COLUMN user_id BIGINT;\nALTER TABLE configs ADD COLUMN user_id BIGINT;\n\n-- Set default owner for existing resources\nUPDATE dns_credentials SET user_id = 1 WHERE user_id IS NULL;\nUPDATE certs SET user_id = 1 WHERE user_id IS NULL;\n\n-- Add foreign key constraint\nALTER TABLE dns_credentials ADD CONSTRAINT fk_dns_credentials_user\n FOREIGN KEY (user_id) REFERENCES users(id);\n```\n\n### Long-term Improvements\n\n1. Implement role-based access control (RBAC)\n2. Add audit logging for resource access\n3. Implement resource sharing functionality with explicit permissions\n4. Add integration tests for authorization checks\n\n---\n\n## Remediation for Plaintext Storage\n\n### Immediate Fix: Encrypt Sensitive Fields\n\nApply the same `serializer:json[aes]` pattern used for S3 credentials to DNS and ACME data:\n\n**model/dns_credential.go:**\n```go\ntype DnsCredential struct {\n Model\n Name string `json:\"name\"`\n Config *dns.Config `json:\"config,omitempty\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n Provider string `json:\"provider\"`\n ProviderCode string `json:\"provider_code\" gorm:\"index\"`\n}\n```\n\n**model/acme_user.go:**\n```go\ntype AcmeUser struct {\n Model\n // ...\n Key PrivateKey `json:\"-\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n // ...\n}\n```\n\n### Data Migration\n\nExisting plaintext data must be re-saved to trigger encryption:\n\n```go\nfunc MigrateSensitiveData() error {\n // Migrate DNS credentials\n var dnsCreds []model.DnsCredential\n query.DnsCredential.Find(\u0026dnsCreds)\n for _, cred := range dnsCreds {\n query.DnsCredential.Save(\u0026cred) // Re-save triggers AES encryption\n }\n\n // Migrate ACME users\n var acmeUsers []model.AcmeUser\n query.AcmeUser.Find(\u0026acmeUsers)\n for _, user := range acmeUsers {\n query.AcmeUser.Save(\u0026user)\n }\n\n return nil\n}\n```\n\n### Summary of Required Changes\n\n| File | Line | Current | Fix |\n|------|------|---------|-----|\n| `model/dns_credential.go` | 7 | `serializer:json` | `serializer:json[aes]` |\n| `model/acme_user.go` | Key field | `serializer:json` | `serializer:json[aes]` |\n\n## References\n\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)\n- [OWASP IDOR Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)\n- [PortSwigger: IDOR Vulnerabilities](https://portswigger.net/web-security/access-control/idor)\n\n## Disclosure Timeline\n\n- **2026-03-13**: Vulnerability discovered through source code audit\n- **2026-03-13**: Vulnerability successfully reproduced in local Docker environment\n- **2026-03-13**: All IDOR operations verified: READ, MODIFY, DELETE\n- **2026-03-13**: Security advisory prepared\n- **[Pending]**: Report submitted to nginx-ui maintainers\n- **[Pending]**: CVE ID requested\n- **[Pending]**: Patch developed and tested\n- **[Pending]**: Public disclosure (21-90 days after vendor notification)",
"id": "GHSA-5hf2-vhj6-gj9m",
"modified": "2026-03-30T21:26:12Z",
"published": "2026-03-30T16:41:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33030"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys"
}
GHSA-5HR6-R8H6-WH22
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-04-23 17:09The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "automattic/jetpack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-24374"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T17:09:16Z",
"nvd_published_at": "2021-06-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a \"carousel\" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.",
"id": "GHSA-5hr6-r8h6-wh22",
"modified": "2024-04-23T17:09:16Z",
"published": "2022-05-24T19:05:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24374"
},
{
"type": "PACKAGE",
"url": "https://github.com/Automattic/jetpack-production"
},
{
"type": "WEB",
"url": "https://jetpack.com/2021/06/01/jetpack-9-8-engage-your-audience-with-wordpress-stories"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/08a8a51c-49d3-4bce-b7e0-e365af1d8f33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "JetPack Exposure of Resource to Wrong Sphere"
}
GHSA-5J8P-MMP9-6FJ8
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-13 00:48Insufficient ownership checks in clientarea.php allow an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.
{
"affected": [],
"aliases": [
"CVE-2026-29204"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:16:51Z",
"severity": "CRITICAL"
},
"details": "Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user\u2019s `addonId` without any ownership validation leading to unauthorized access to the victim\u0027s resources and their cPanel account.",
"id": "GHSA-5j8p-mmp9-6fj8",
"modified": "2026-05-13T00:48:11Z",
"published": "2026-05-12T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29204"
},
{
"type": "WEB",
"url": "https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204"
},
{
"type": "WEB",
"url": "https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204?token=_4RH-0s0febHsrNiC8GdPymsqg3_nSdT"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JC7-QJRP-83HW
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2026-07-05 00:31Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API
{
"affected": [],
"aliases": [
"CVE-2020-23446"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-22T14:15:00Z",
"severity": "MODERATE"
},
"details": "Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API",
"id": "GHSA-5jc7-qjrp-83hw",
"modified": "2026-07-05T00:31:14Z",
"published": "2022-05-24T17:28:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23446"
},
{
"type": "WEB",
"url": "https://tejaspingulkar.blogspot.com/2020/09/cve-2020-23446-verint-workforce.html"
},
{
"type": "WEB",
"url": "http://cvewalkthrough.com/variant-unauthenticated-information-disclosure-via-api"
},
{
"type": "WEB",
"url": "http://verint.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JF7-8333-M22J
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
{
"affected": [],
"aliases": [
"CVE-2022-2730"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-09T12:15:00Z",
"severity": null
},
"details": "Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.",
"id": "GHSA-5jf7-8333-m22j",
"modified": "2022-08-10T00:00:31Z",
"published": "2022-08-10T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2730"
},
{
"type": "WEB",
"url": "https://github.com/openemr/openemr/commit/2973592bc7b1f4996738a6fd27d1e277e33676b6"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/a81f39ab-092b-4941-b9ca-c4c8f2191504"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5JP2-VWRJ-99RF
Vulnerability from github – Published: 2022-10-19 20:26 – Updated: 2025-04-16 16:08Impact
For some Post/Put Concourse endpoint containing :team_name in the URL, a Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2.
Exploitable endpoints:
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: "PUT", Name: UnpausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/expose", Method: "PUT", Name: ExposePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/hide", Method: "PUT", Name: HidePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/rename", Method: "PUT", Name: RenamePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/archive", Method: "PUT", Name: ArchivePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable", Method: "PUT", Name: EnableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable", Method: "PUT", Name: DisableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin", Method: "PUT", Name: PinResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin", Method: "PUT", Name: UnpinResource},
{Path: "/api/v1/teams/:team_name/artifacts", Method: "POST", Name: CreateArtifact},
Steps to reproduce
- Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1.
- Login as user to team 2.
fly -t ci login -n team2 -u user -p password
- Try pausing pipeline 1 in team 1 using fly. Verify the command output is
pipeline 'pipeline1' not found.
fly -t ci pause-pipeline -p pipeline1
- Send a customized request through
fly curlcommand intend to pause pipeline 1 again.
fly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d ":team_name=team2" -H "Content-type: application/x-www-form-urlencoded"
- pipeline 1 in team 1 will be paused.
In step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team.
Patches
Concourse v6.7.9 and v7.8.3 were both released with a fix on October 12, 2022.
Instead of using FormValue to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using URL.Query().Get() over multiple scope handlers to prevent the parameter pollution.
Workarounds
No known workarounds for existing versions.
References
- https://github.com/concourse/concourse/pull/8566: PR with the fix
For more information
If you have any questions or comments about this advisory, you may reach us privately at security@concourse-ci.org.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31683"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-19T20:26:05Z",
"nvd_published_at": "2022-12-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nFor some Post/Put Concourse endpoint containing `:team_name` in the URL, a Concourse user can send a request with body including `:team_name=team2` to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2.\n\nExploitable endpoints:\n```\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name\", Method: \"POST\", Name: RerunJobBuild},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause\", Method: \"PUT\", Name: PauseJob},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause\", Method: \"PUT\", Name: UnpauseJob},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule\", Method: \"PUT\", Name: ScheduleJob},\n\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/pause\", Method: \"PUT\", Name: PausePipeline},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause\", Method: \"PUT\", Name: UnpausePipeline},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/expose\", Method: \"PUT\", Name: ExposePipeline},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/hide\", Method: \"PUT\", Name: HidePipeline},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/rename\", Method: \"PUT\", Name: RenamePipeline},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/archive\", Method: \"PUT\", Name: ArchivePipeline},\n\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable\", Method: \"PUT\", Name: EnableResourceVersion},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable\", Method: \"PUT\", Name: DisableResourceVersion},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin\", Method: \"PUT\", Name: PinResourceVersion},\n{Path: \"/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin\", Method: \"PUT\", Name: UnpinResource},\n\t\n{Path: \"/api/v1/teams/:team_name/artifacts\", Method: \"POST\", Name: CreateArtifact},\n```\n\n### Steps to reproduce\n\n1. Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1.\n2. Login as user to team 2.\n```\nfly -t ci login -n team2 -u user -p password\n```\n3. Try pausing pipeline 1 in team 1 using fly. Verify the command output is `pipeline \u0027pipeline1\u0027 not found`.\n```\nfly -t ci pause-pipeline -p pipeline1\n```\n\n\n4. Send a customized request through `fly curl` command intend to pause pipeline 1 again. \n```\nfly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d \":team_name=team2\" -H \"Content-type: application/x-www-form-urlencoded\"\n```\n5. pipeline 1 in team 1 will be paused.\n\nIn step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team.\n\n### Patches\nConcourse [v6.7.9](https://github.com/concourse/concourse/releases/tag/v6.7.9) and [v7.8.3](https://github.com/concourse/concourse/releases/tag/v7.8.3) were both released with a fix on October 12, 2022.\n\nInstead of using [`FormValue`](https://pkg.go.dev/net/http#Request.FormValue) to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using `URL.Query().Get()` over multiple scope handlers to prevent the parameter pollution.\n\n### Workarounds\nNo known workarounds for existing versions.\n\n### References\n * https://github.com/concourse/concourse/pull/8566: PR with the fix\n\n### For more information\nIf you have any questions or comments about this advisory, you may reach us privately at [security@concourse-ci.org](mailto:security@concourse-ci.org).",
"id": "GHSA-5jp2-vwrj-99rf",
"modified": "2025-04-16T16:08:47Z",
"published": "2022-10-19T20:26:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31683"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/pull/8566"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/pull/8580"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/commit/57e06711b0d861775a5a6bd078a34abeb0e2638e"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/commit/ba885834d9bcbb9d1ccb9964faa7af0e78a72205"
},
{
"type": "PACKAGE",
"url": "https://github.com/concourse/concourse"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/releases/tag/v6.7.9"
},
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/releases/tag/v7.8.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution "
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.