Summary by jeetbhdr
Create user have Read acess for Access role .
Broken Access Control Issue.
Disclosed by jeetbhdr- Program Akeyless
- Disclosed date over 2 years ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Report details
-
Submitted
-
Target Location
https://console.akeyless.io/ - Akeyless Application -
Target category
Web App
-
VRT
Broken Access Control (BAC) -
Priority
P5 -
Bug URL
https://console.akeyless.io/access-roles -
Description
Summary : I have found an access control issue. The issue is that a user with only Create Permission can read the Access Control details which is not possible In case of Secrets & Keys and Auth Methods.
Steps to Reproduce :
a. From the admin account create a New Auth Method using Api key From this endpoint "https://console.akeyless.io/auth-methods" .b.Fill it up with your preferred name and location should be /dev and click save.
After filling up Save that access id and access key in a clipboard.
c.Now go to Access Role and Create a new Role name the role anything but the location should be /dev/ and click save.
d.On that Access role add Associate Auth Method and select the auth method and save it.
e.Below the Associate Auth Method you will see Secret & Key , Access Control , Auth method .
f.Click on each of them and Tick Add Recursively and Select the Create option for all three of them and add.The process of creating sub admin is documented in this endpoint "https://docs.akeyless.io/docs/sub-admins"
g.Now from another browser or in incognito tab login using that access id and access key.
h.Here you can create a secret key but you can't view it , you can create a auth method you can't view but when you create a access role you can view that access role and other access role without having read permission.I have posted a full POC video so that you can reproduce easily . Thank you for looking into my report .
I wish you very Happy New Year.