<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><div><div>Date: 20. 9. 2023</div>Severity: High<br><div>Affected versions: all midPoint versions</div>Fixed in versions: 4.4.6, <span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span> </span>4.6.2 (unreleased), </span> 4.7.2, <span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">4.8 (unreleased)</span><div style="clear: both;" data-mce-style="clear: both;"><br data-mce-bogus="1"></div><br><br><div>Description</div><br><div>Non-admin users which are authorized to execute bulk actions (using `model-3#executeScript` authorization) are able to execute arbitrary Groovy code, if they have authorization to submit custom bulk actions using rest (authorization `rest#all`) or have access to Bulk Actions page (authorization `ui-3#pageBulkAction`).</div><br><div>NOTE: Authorization `model-3#executeScript` sounds like it should allow Groovy script execution, but was intended only to enable access to bulk actions.</div><br><br><div>Severity and Impact</div><br><div>This is high-severity issue.</div><br><div>The affected feature is not enabled by default to end-users. MidPoint deployment is only affected if non-administrator users have authorization for: `#executeScript` and `rest#all` or `#executeScript` and `ui-3#pageBulkAction`.</div><br><br><div>Mitigation</div><br><div>* Update to latest maintenance midPoint release which contains fix.</div><div>* Remove authorizations for `rest#all` or `ui-3#pageBulkAction` for those users, which have `model-3#executeScript` authorization.<br><br></div><div><span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">This advisory is also available at: <a href="https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/">https://docs.evolveum.com/midpoint/reference/security/advisories/018-less-privileged-user-able-to-execute-custom-groovy-scripts/</a></span></div><div><div style="clear: both;" data-mce-style="clear: both;"><pre>-- 
Anton Tkáčik
Software Developer
evolveum.com</pre></div></div></div></div></div></body></html>