Skip to content

Account validation bypass

High
davide-zerbetto published GHSA-48hp-jvv8-cf62 Jun 20, 2023

Package

KnowageLabs / Knowage-Server (Knowage)

Affected versions

6.x.x, 7.x.x, 8.0.x, < 8.1.8

Patched versions

8.1.8

Description

When a user registers his account via the /knowage/restful-services/signup/create endpoint, the account is blocked by setting
the flgPwdBlocked attribute to true.

// knowage-core/src/main/java/it/eng/spagobi/signup/service/rest/Signup.java

SbiUser user = new SbiUser();
user.setUserId(username);
user.setPassword(Password.encriptPassword(password));
user.setFullName(name + " " + surname);
user.getCommonInfo().setOrganization(defaultTenant);
user.getCommonInfo().setUserIn(username);
user.setFlgPwdBlocked(true);
// […]
int id = userDao.fullSaveOrUpdateSbiUser(user);

However, the /knowage/restful-services/credential/ endpoint, exposed to anonymous users, resets this flag weather the account has been activated or not.

// knowage-core/src/main/java/it/eng/spagobi/api/CredentialResource.java

@PublicService
public Response change(final ChangePasswordData data) {
  //  [...]
  final String userId = data.getUserId();
  final String oldPassword = data.getOldPassword();
  final String newPassword = data.getNewPassword();
  final String newPasswordConfirm = data.getNewPasswordConfirm();
  if (StringUtils.isEmpty(userId)) {
    // [...]
  } else {
    ISbiUserDAO userDao = DAOFactory.getSbiUserDAO();
    SbiUser tmpUser = userDao.loadSbiUserByUserId(userId);
    try {
      if (PasswordChecker.getInstance().isValid(tmpUser, oldPassword, newPassword, newPasswordConfirm)) {
      // [...]
      tmpUser.setFlgPwdBlocked(false);
      userDao.updateSbiUser(tmpUser, tmpUser.getId());
// [...]

This allows an attacker to register and activate his account without having to click on the link included in the email, which is
useful in the context where the email service is not configured.
It’s also important to note that the registration page does not seem to be displayed when a user accesses the application
without prior authentication.

Impact

An attacker can register and activate his account without having to click on the link included in the email, allowing him to gain access to the application as a normal user.

Patches

You need to upgrade to Knowage 8.1.8 or a later version.

Workarounds

No workaround is available

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2023-35154

Weaknesses

No CWEs

Credits