[midPoint] Security Advisory: Less privileged user able to execute custom Groovy scripts via Bulk Tasks
Tony Tkacik
tony.tkacik at evolveum.com
Thu Sep 21 17:04:36 CEST 2023
Date: 20. 9. 2023
Severity: High
Affected versions: all midPoint versions
Fixed in versions: 4.4.6, 4.6.2 (unreleased), 4.7.2, 4.8 (unreleased)
Description
Non-admin users which are authorized to execute bulk actions (using `model-3#executeScript` authorization) are able to execute arbitrary Groovy code, if they have authorization to submit custom bulk actions using rest (authorization `rest#all`) or have access to Bulk Actions page (authorization `ui-3#pageBulkAction`).
NOTE: Authorization `model-3#executeScript` sounds like it should allow Groovy script execution, but was intended only to enable access to bulk actions.
Severity and Impact
This is high-severity issue.
The affected feature is not enabled by default to end-users. MidPoint deployment is only affected if non-administrator users have authorization for: `#executeScript` and `rest#all` or `#executeScript` and `ui-3#pageBulkAction`.
Mitigation
* Update to latest maintenance midPoint release which contains fix.
* Remove authorizations for `rest#all` or `ui-3#pageBulkAction` for those users, which have `model-3#executeScript` authorization.
This advisory is also available at: [ https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/ | https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/ ]
--
Anton Tkáčik
Software Developer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230921/74c2c3c3/attachment.htm>
More information about the midPoint
mailing list