[midPoint] Security Advisory: Hidden panels on detail page are accessible by URL

Tony Tkacik tony.tkacik at evolveum.com
Tue Feb 27 19:25:44 CET 2024


Date: 27. 02. 2024 
Severity: 6.4 (Medium) 
Affected versions: All midPoint versions from 4.7 prior to 4.7.4, 4.8.2 
Fixed in versions: 4.7.4, 4.8.2 

Description 

Panels that contain a configuration for visibility as 'hidden' are not displayed in the menu, but they can be displayed by changing the identifier in the 'panelId' URL parameter. 


Severity and Impact 

This is Medium Severity Issue. 
MidPoint contains a configuration for the visibility of the panel as 'hidden' (for example, a panel for organization assignments with the identifier 'orgAssignments'). 
Users with GUI authorization for the details page (for example, http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile) 
and model authorizations for the objects displayed in the hidden panel (for example, read/write for the OrgType) can do the following: 

The user opens a details page with panels (for example, a profile page) and changes the 'panelId' parameter in the URL to the hidden panel identifier (for example, 'orgAssignments'). 
The content of the hidden panel is displayed. 


Mitigation 

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases. 
In the meantime, users are advised to limit model authorizations to only necessary objects and object items. 

This advisory is also available at [ https://docs.evolveum.com/midpoint/security/advisories/024-showing-hidden-panel/ | https://docs.evolveum.com/midpoint/security/advisories/024-showing-hidden-panel/ ] 



-- 
Anton Tkáčik
Software Developer
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240227/f28cd742/attachment.htm>


More information about the midPoint mailing list