logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-wxf3-4fvj-vqqx @saltcorn/cli

Package

Manager: npm
Name: @saltcorn/cli
Vulnerable Version: >=0 <1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H

EPSS: N/A pctlN/A

Details

Unsafe plugins can be installed via pack import by tenant admins ### Summary Unsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables ### Details I have an example https://bot20230704.saltcorn.com/view/all_plugins It's publicly accessible (but has not so secure values except list of tenants). But using this mech one can read **any** data from other tenants. ### Impact All tenants of installation (i.e. `saltcorn.com`), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants ### Revived after 0.8.7 After patch in 0.8.7 this is not fixed completely. Here are steps to reproduce: 1. Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I've just published this one: https://www.npmjs.com/package/saltcorn-qrcode 2. Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2 3. Add plugin store link to tenant store. 4. Install plugin. 5. Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1 Here are logic: Unsafe plugins checked against this list: https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191 But it's under control of tenant admin, not server admin. Proposed login: ```javascript const safes = getRootState().getConfig("available_plugins",[]).filter(p=>!p.unsafe).map(p=>p.location); ```

Metadata

Created: 2023-07-27T19:28:02Z
Modified: 2023-09-06T19:20:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-wxf3-4fvj-vqqx/GHSA-wxf3-4fvj-vqqx.json
CWE IDs: []
Alternative ID: N/A
Finding: F013
Auto approve: 1