Headline
CVE-2023-2227: Added missing permissions on API endpoints · modoboa/modoboa@7bcd3f6
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
@@ -9,15 +9,19 @@
from django.contrib.auth import login
from drf_spectacular.utils import extend_schema
from rest_framework import response, status
from rest_framework import permissions, response, status
from rest_framework.exceptions import AuthenticationFailed
from rest_framework_simplejwt import views as jwt_views
from rest_framework_simplejwt.exceptions import InvalidToken
from rest_framework.views import APIView
from modoboa.core.password_hashers import get_password_hasher
from modoboa.core.utils import check_for_updates
from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle
from modoboa.lib.permissions import IsSuperUser
from modoboa.lib.throttle import (
UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle,
PasswordResetRequestThrottle, PasswordResetTotpThrottle
)
from modoboa.parameters import tools as param_tools
from smtplib import SMTPException
@@ -192,6 +196,7 @@ def post(self, request, *args, **kwargs):
class ComponentsInformationAPIView(APIView):
“""Retrieve information about installed components.""”
permission_classes = [permissions.IsAuthenticated, IsSuperUser]
throttle_classes = [UserLesserDdosUser]
@extend_schema(responses=serializers.ModoboaComponentSerializer(many=True))
Related news
In modoboa prior to 2.1.0, sending a GET request to the endpoint `/api/v2/parameters/core/` returns sensitive information without any authentication or authorization.