CVE-2023-35168: DataEase has a privilege bypass vulnerability that allows ordinary users to access all user information

Impact

DataEase has a privilege bypass vulnerability, ordinary users can get all users’ password md5, username, email, cell phone number and other information.

1. Login with demo user, call interface api/user/userGrid/1, pass in dataset ID 1, prompt unauthorized

2. Interface code location
   \backend\src\main\java\io\dataease\controller\sys\SysUserController.java

3. AOP annotation restricts the level to 3, the level of the user is greater than or equal to 3 to access

4. Using the demo user to call this interface, in \datae-ase-1.18\backend\src\main\java\io\dataease\auth\aop\DePermissionAnnotationHandler.java will call AuthUtils. permissionByType(type) to return the dataset that can be invoked for the current user’s corresponding level

The demo user’s level is 1, so the level3 interface cannot be called, so the call to api/user/userGrid/1 prompts unauthorized

5. But a dataset with level 3 and a value of 0 is automatically added at the end of the return

6. At this time, the requestLevel is 3, the dataset with level greater than or equal to 3 will be extracted, and the datasetId of the requested /userGrid/{datasetId} will be judged whether it is in the dataset with level greater than or equal to 3, and the dataset with level 3 and value 0 happens to exist in the dataset returned after verification.

7. So through /api/user/userGrid/0 you can achieve permission bypass, take https://dataease.fit2cloud.com/#/wizard/index as an example, use demo user login, call interface /api/user/userGrid/0, returned all including the administrator user’s password md5, username, email, cell phone number, etc.

Affected versions: <= 1.18.7

Patches

The vulnerability has been fixed in v1.18.8.

Workarounds

It is recommended to upgrade the version to v1.18.8.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at [email protected]