GHSA-MRQX-MJC4-VFH3
Vulnerability from github – Published: 2023-02-02 19:26 – Updated: 2023-02-02 19:27Impact
The annotations feature lets users add annotations on highlighted parts of an entry.
The controller does not validate authorization on PUT and DELETE requests which lets a logged user modify or delete any annotation using their ID on their endpoints example.org/annotations/{id}.
These vulnerable requests also disclose highlighted parts of the entry to the attacker.
You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.
Resolution
A user check is now done in the vulnerable methods before applying change on an annotation.
The Annotation retrieval through a ParamConverter has also been replaced with a call to the AnnotationRepository in order to prevent any information disclosure through response discrepancy.
Workarounds
Credits
We would like to thank @bAuh0lz for reporting this issue through huntr.dev.
Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wallabag/wallabag"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-beta.1"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0610"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-02-02T19:26:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe annotations feature lets users add annotations on highlighted parts of an entry.\n\nThe controller does not validate authorization on `PUT` and `DELETE` requests which lets a logged user modify or delete any annotation using their ID on their endpoints `example.org/annotations/{id}`.\n\nThese vulnerable requests also disclose highlighted parts of the entry to the attacker.\n\nYou should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.\n\n### Resolution\n\nA user check is now done in the vulnerable methods before applying change on an annotation.\n\nThe Annotation retrieval through a `ParamConverter` has also been replaced with a call to the `AnnotationRepository` in order to prevent any information disclosure through response discrepancy.\n\n### Workarounds\n\n\n\n### Credits\n\nWe would like to thank @bAuh0lz for reporting this issue through huntr.dev.\n\nReference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926/\n",
"id": "GHSA-mrqx-mjc4-vfh3",
"modified": "2023-02-02T19:27:16Z",
"published": "2023-02-02T19:26:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wallabag/wallabag/security/advisories/GHSA-mrqx-mjc4-vfh3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0610"
},
{
"type": "WEB",
"url": "https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e"
},
{
"type": "PACKAGE",
"url": "https://github.com/wallabag/wallabag"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20b960faf926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "wallabag subject to Improper Authorization via annotations"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.