Summary
A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations.
Details
The core of the vulnerability lies in the remove_user_from_org function in the user management system. This function is designed to allow organizational users to remove members from their organization.
Issues:
- The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user.
- Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges.
Source Code Reference:
- File:
src/service/users.rs
- Function:
pub async fn remove_user_from_org(org_id: &str, email_id: &str) -> Result<HttpResponse, Error>
- File:
src/handler/http/request/users/mod.rs
- Function:
pub async fn delete(path: web::Path<(String, String)>) -> Result<HttpResponse, Error>
PoC (Proof of Concept)
-
Configuration Details:
- Environment: Self-Hosted
- Version: < 0.8.0
- User Role: Any authenticated user within an organization
-
Reproduction Steps:
- Authenticate as any user within an organization.
- Send a request to the
remove_user_from_org endpoint with the following format:
- Endpoint:
DELETE /api/{org_id}/users/{email_id}
- Parameters:
{org_id} – The organization ID; {email_id} – The email ID of the user to be removed.
- The request succeeds and the specified user is removed from the organization, regardless of their role.
Example request for PoC using curl:
curl -X 'DELETE' \
'http://localhost:5080/api/default/users/root%40example.com' \
-H 'accept: application/json'
Impact
This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application.
gaby Reporter
oasisk Remediation developer
hengfeiyang Analyst
prabhatsharma Coordinator
Summary
A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations.
Details
The core of the vulnerability lies in the
remove_user_from_orgfunction in the user management system. This function is designed to allow organizational users to remove members from their organization.Issues:
Source Code Reference:
src/service/users.rspub async fn remove_user_from_org(org_id: &str, email_id: &str) -> Result<HttpResponse, Error>src/handler/http/request/users/mod.rspub async fn delete(path: web::Path<(String, String)>) -> Result<HttpResponse, Error>PoC (Proof of Concept)
Configuration Details:
Reproduction Steps:
remove_user_from_orgendpoint with the following format:DELETE /api/{org_id}/users/{email_id}{org_id}– The organization ID;{email_id}– The email ID of the user to be removed.Example request for PoC using curl:
Impact
This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application.