Skip to content

1.1.1

1.1.1: Fix(api): Fixed several vulnerabilities in Thorium
@mjcarson mjcarson tagged this 20 Aug 21:43 
None of these issues allow for RCE or privilege escalation.

Result File Path Normalization

The API was not validating that uploaded result file paths are not
absolute paths and do not contain any '..' components. This was not
exploitable due to the fact that:
- Some s3 servers (Minio and CEPH were tested) do not allow .. in paths
- The agent panics when downloading files with an absolute path
- Thorctl nests the absolute path in its relative path and returns an
error Regardless this has been resolved, and Thorium will now validate
and reject any absolute paths or paths where any component contains only
'.'s.

LDAP Injection

Thorium was not escaping user controlled strings that it sent to LDAP.
This would allow attackers to perform LDAP injection if they can add
metagroups to groups. In order to perform this attack, an attacker
would already have the permissions to modify group permissions at will.
Thorium now properly escapes user controlled strings in ldap.

Spam Verification Emails For Unverified Users

Thorium was not limiting how often verification emails could be resent
to unverified users in systems that have email verification configured.
This means that if an attacker knew a user's username and that user had
not yet verified their email, they could spam them with emails. Only the
verification email would sent this does not allow an attacker to send
arbitrary emails. Thorium now allows admins to set a rate limit value
that currently defaults to only allowing an email to be resent every 10
minutes.

Token Not Rotating When Resetting Passwords

Thorium was generating a new token but not saving it when updating a
users password. This meant that if a user was updating their password
due to a password or token being leaked, Thorium did not properly remove
all prior access. This is only relevant to LDAP enabled Thorium clusters.
Thorium now saves the new token on password updates.

Disabled TLS Verification To Elasticsearch

Thorium was not allowing users to configure how they want to validate
the certificate used by elastic search and was defaulting to not
verifying it. This option is now configurable.

Divide By Zero When Getting Streams

If a user set a split of 0 when getting streams, that request would panic
due to a divide by zero error. This has been resolved by requiring a
NonZeroU64 instead of a u64.

Thanks to OpenAI Security Research for bringing these issues to our attention.
Assets 2
Loading