[midPoint] Security Advisory: Less privileged user able to execute custom Groovy scripts via Bulk Tasks

Tony Tkacik tony.tkacik at evolveum.com
Thu Sep 21 17:04:36 CEST 2023


Date: 20. 9. 2023 
Severity: High 
Affected versions: all midPoint versions 
Fixed in versions: 4.4.6, 4.6.2 (unreleased), 4.7.2, 4.8 (unreleased) 



Description 

Non-admin users which are authorized to execute bulk actions (using `model-3#executeScript` authorization) are able to execute arbitrary Groovy code, if they have authorization to submit custom bulk actions using rest (authorization `rest#all`) or have access to Bulk Actions page (authorization `ui-3#pageBulkAction`). 

NOTE: Authorization `model-3#executeScript` sounds like it should allow Groovy script execution, but was intended only to enable access to bulk actions. 


Severity and Impact 

This is high-severity issue. 

The affected feature is not enabled by default to end-users. MidPoint deployment is only affected if non-administrator users have authorization for: `#executeScript` and `rest#all` or `#executeScript` and `ui-3#pageBulkAction`. 


Mitigation 

* Update to latest maintenance midPoint release which contains fix. 
* Remove authorizations for `rest#all` or `ui-3#pageBulkAction` for those users, which have `model-3#executeScript` authorization. 

This advisory is also available at: [ https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/ | https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/ ] 
-- 
Anton Tkáčik
Software Developer
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230921/74c2c3c3/attachment.htm>


More information about the midPoint mailing list