ghsa-g273-wppx-82w4
Vulnerability from github
Published
2024-01-10 15:24
Modified
2024-01-11 15:41
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts
Details

Summary

An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure.

Details

Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/gdpr-data/search-data-objects endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place : https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38

PoC

In order to reproduce the issue, the following steps can be followed:

  1. As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
  2. Log out the current administrator and log in with this new user
  3. Access to the following endpoint https://pimcore_instance/admin/customermanagementframework/gdpr-data/search-data-objects?id=&firstname=&lastname=&email=&page=1&start=0&limit=50 and the results will be returned to this unauthorized user.

Impact

An unauthorized user can access PII data from customers without being authorized to.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/customer-management-framework-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T15:24:08Z",
    "nvd_published_at": "2024-01-11T01:15:45Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure.\n\n### Details\nPermissions do not seem to be enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place : \u003chttps://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38\u003e\n\n### PoC\n\nIn order to reproduce the issue, the following steps can be followed: \n\n1. As an administrator : \n  a. Create a role without any permission through Settings \u2192 User \u0026 Roles \u2192 Roles in the administration panel\n  b. Create an user through Settings \u2192 User \u0026 Roles \u2192 Users and assign it the unprivileged role previously created\n2. Log out the current administrator and log in with this new user\n3. Access to the following endpoint `https://pimcore_instance/admin/customermanagementframework/gdpr-data/search-data-objects?id=\u0026firstname=\u0026lastname=\u0026email=\u0026page=1\u0026start=0\u0026limit=50` and the results will be returned to this unauthorized user.\n\n### Impact\nAn unauthorized user can access PII data from customers without being authorized to. \n",
  "id": "GHSA-g273-wppx-82w4",
  "modified": "2024-01-11T15:41:51Z",
  "published": "2024-01-10T15:24:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21667"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/customer-data-framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.