Описание
OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream
Summary
OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2.
Details
The issue is in the live event streaming path.
EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber:
- service/internal/api/api.go:776
After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action:
- service/internal/api/api.go:846 OnExecutionStarted
- service/internal/api/api.go:869 OnExecutionFinished
- service/internal/api/api.go:1047 OnOutputChunk
The event payload includes action output through:
- service/internal/api/api.go:295 internalLogEntryToPb
- service/internal/api/api.go:302 Output
By contrast, the normal log APIs do apply per-action authorization checks:
- service/internal/api/api.go:518 GetLogs
- service/internal/api/api.go:585 GetActionLogs
- service/internal/api/api.go:544 isLogEntryAllowed
Root cause:
- the subscription path enforces only coarse dashboard access
- execution callbacks broadcast to every connected client
- no per-recipient ACL check is applied before sending action metadata or output
I validated the issue using:
- an admin user with full ACLs
- an alice user with no ACLs
- a protected action that outputs TOPSECRET=alpha-bravo-charlie
Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output.
PoC
Tested version:
- Fetch and check out 3000.10.2 in a clean worktree:
- Copy the PoC test into the clean tree:
- Run the targeted PoC test:
- Optional: save validation output:
Observed validation output:
What this proves:
- admin can execute the protected action
- alice has no ACLs
- alice still receives the streamed completion event for the protected action
- protected action output is exposed through the event stream
Impact
This is an authenticated broken access control / information disclosure vulnerability.
A low-privileged authenticated user can subscribe to EventStream and receive:
- action execution metadata
- execution tracking IDs
- initiating username
- live output chunks
- final command output
Who is impacted:
- multi-user OliveTin deployments
- environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output
- deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events
This bypasses intended per-action log/view restrictions for protected actions.
Пакеты
github.com/OliveTin/OliveTin
< 3000.10.2
3000.10.2
Связанные уязвимости
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.