[midPoint] Security Advisory: Some users can execute selected operations beyond their authorizations
Tony Tkacik
tony.tkacik at evolveum.com
Tue Feb 27 19:25:27 CET 2024
Date: 27. 02. 2024
Severity: 8.2 (High)
Affected versions: All midPoint versions prior to 4.4.8, 4.7.4, 4.8.2
Fixed in versions: 4.4.8, 4.7.4, 4.8.2
Description
Authorized REST users can inject false resource data into midPoint and invoke the import from resources without any further authorizations.
Severity and Impact
This is High Severity Issue.
Users with `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all` authorization can do the following:
- Invoke "notify change" operation.
It allows them to provide false resource data to midPoint.
- Invoke "import from resource" operations.
They allow them to start the import operations, either for a single shadow, or for the whole object class.
- Test the resource.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.
In the meantime, they are advised to allow REST access only to trusted users.
This advisory is also available at [ https://docs.evolveum.com/midpoint/security/advisories/023-unauthorized-operation-execution/ | https://docs.evolveum.com/midpoint/security/advisories/023-unauthorized-operation-execution/ ]
--
Anton Tkáčik
Software Developer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240227/289815a0/attachment.htm>
More information about the midPoint
mailing list