GHSA-r32r-j5jq-3w4m

Описание

Summary

A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.

Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.

Description

• The endpoint accepts ManagerHeadersLoose and does not validate access rights for the specified collectionIds. src/api/core/organizations.rs:551

  headers: ManagerHeadersLoose,

• The received collection_ids are processed directly without per-collection authorization checks. src/api/core/organizations.rs:564

  for col_id in data.collection_ids {

• Existing group assignments for the collection are deleted. src/api/core/organizations.rs:583

  CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;

• Existing user assignments for the collection are deleted. src/api/core/organizations.rs:590

  CollectionUser::delete_all_by_collection(&col_id, &conn).await?;

• By comparison, another bulk-processing endpoint performs per-collection validation using from_loose. src/api/core/organizations.rs:787

  let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;

• The actual access control logic is implemented in can_access_collection, which is not invoked in the bulk-access endpoint. src/auth.rs:911

  if !Collection::can_access_collection(&h.membership, col_id, conn).await {

Preconditions

• The attacker possesses a valid Manager account within the target organization.
• The organization contains collections that are not assigned to the attacker.
• The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).

Steps to Reproduce

1. Log in as a Manager and obtain a Bearer token.

   

2. Confirm the current values of assigned, manage, readOnly, and hidePasswords for the target collection.

   

3. Verify that the standard update API returns 401 Unauthorized when attempting to modify the unassigned collection.

   

4. Invoke the bulk-access API, including:

   
   • collectionIds containing the target collection
   • users containing the attacker’s own membership_id Confirm that the API returns 200 OK.

5. Re-run the standard update API. Confirm that it now succeeds and that the previously unauthorized modification is applied.

   

Required Minimum Privileges

• Manager role within the target organization (the issue occurs even when access_all=false)

Attack Scenario

A delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.

Because the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.

Potential Impact

• Confidentiality: Unauthorized access to sensitive information within restricted collections.
• Integrity: Unauthorized modification of collection permission settings and arbitrary changes to access controls.
• Availability: Deletion of existing assignments may cause legitimate users to lose access.