Summary
A low privileged user could remove a user, edit group members, or edit another user's profile information.
Details
The default privileges gave too many broad permissions to low privileged users. These have been constrained to prevent abuse in later versions.
PoC
As a low privileged user:
- use the removeUser GraphQL API to delete a user
- edit the group members of a privileged group, adding the low privileged user allowing privilege escalation
- modify another user's email or other personal information
Impact
Can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges.
Credit
Dor Konis - GE Vernova
Amit Laish - GE Vernova
dkonis Reporter
amit-laish Reporter
Summary
A low privileged user could remove a user, edit group members, or edit another user's profile information.
Details
The default privileges gave too many broad permissions to low privileged users. These have been constrained to prevent abuse in later versions.
PoC
As a low privileged user:
Impact
Can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges.
Credit
Dor Konis - GE Vernova
Amit Laish - GE Vernova