Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13eGYzLTRmdmotdnFxeM4AA067
Unsafe plugins can be installed via pack import by tenant admins
Summary
Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables
Details
I have an example
https://bot20230704.saltcorn.com/view/all_plugins
It's publicly accessible (but has not so secure values except list of tenants).
But using this mech one can read any data from other tenants.
Impact
All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants
Revived after 0.8.7
After patch in 0.8.7 this is not fixed completely.
Here are steps to reproduce:
- Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I've just published this one: https://www.npmjs.com/package/saltcorn-qrcode
- Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2
- Add plugin store link to tenant store.
- Install plugin.
- Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1
Here are logic:
Unsafe plugins checked against this list:
https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191
But it's under control of tenant admin, not server admin.
Proposed login:
const safes = getRootState().getConfig("available_plugins",[]).filter(p=>!p.unsafe).map(p=>p.location);
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eGYzLTRmdmotdnFxeM4AA067
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 8 months ago
CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
Identifiers: GHSA-wxf3-4fvj-vqqx
References:
- https://github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx
- https://github.com/saltcorn/saltcorn/pull/1973
- https://github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab
- https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191
- https://github.com/advisories/GHSA-wxf3-4fvj-vqqx
Blast Radius: 8.3
Affected Packages
npm:@saltcorn/cli
Dependent packages: 3Dependent repositories: 9
Downloads: 1,147 last month
Affected Version Ranges: < 1.0
Fixed in: 1.0
All affected versions: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4
All unaffected versions: