Headline
GHSA-wxf3-4fvj-vqqx: Unsafe plugins can be installed via pack import by tenant admins
Summary
Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables
Details
I have an example https://bot20230704.saltcorn.com/view/all_plugins It’s publicly accessible (but has not so secure values except list of tenants). But using this mech one can read any data from other tenants.
Impact
All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants
Summary
Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables
Details
I have an example
https://bot20230704.saltcorn.com/view/all_plugins
It’s publicly accessible (but has not so secure values except list of tenants).
But using this mech one can read any data from other tenants.
Impact
All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants
References
- GHSA-wxf3-4fvj-vqqx