GHSA-WXF3-4FVJ-VQQX

Vulnerability from github – Published: 2023-07-27 19:28 – Updated: 2026-01-16 21:55
VLAI?
Summary
Unsafe plugins can be installed via pack import by tenant admins
Details

Summary

Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables

Details

I have an example https://bot20230704.saltcorn.com/view/all_plugins It's publicly accessible (but has not so secure values except list of tenants). But using this mech one can read any data from other tenants.

Impact

All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants

Revived after 0.8.7

After patch in 0.8.7 this is not fixed completely.

Here are steps to reproduce: 1. Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I've just published this one: https://www.npmjs.com/package/saltcorn-qrcode 2. Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2 3. Add plugin store link to tenant store. 4. Install plugin. 5. Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1

Here are logic: Unsafe plugins checked against this list: https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191 But it's under control of tenant admin, not server admin. Proposed login:

const safes = getRootState().getConfig("available_plugins",[]).filter(p=>!p.unsafe).map(p=>p.location);
Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.8-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-27T19:28:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nUnsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables\n\n### Details\nI have an example\nhttps://bot20230704.saltcorn.com/view/all_plugins\nIt\u0027s publicly accessible (but has not so secure values except list of tenants).\nBut using this mech one can read **any** data from other tenants.\n\n### Impact\nAll tenants of installation (i.e. `saltcorn.com`), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants\n\n### Revived after 0.8.7\nAfter patch in 0.8.7 this is not fixed completely.\n\nHere are steps to reproduce:\n1. Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I\u0027ve just published this one: https://www.npmjs.com/package/saltcorn-qrcode\n2. Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2\n3. Add plugin store link to tenant store.\n4. Install plugin.\n5. Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1\n\nHere are logic:\nUnsafe plugins checked against this list:\nhttps://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191\nBut it\u0027s under control of tenant admin, not server admin.\nProposed login:\n```javascript\nconst safes = getRootState().getConfig(\"available_plugins\",[]).filter(p=\u003e!p.unsafe).map(p=\u003ep.location);\n```",
  "id": "GHSA-wxf3-4fvj-vqqx",
  "modified": "2026-01-16T21:55:54Z",
  "published": "2023-07-27T19:28:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/pull/1973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsafe plugins can be installed via pack import by tenant admins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.