[mitreid-connect] CVE-2020-5498

Justin Richer jricher at mit.edu
Fri Jan 17 15:48:44 EST 2020 

Hi Aaron,

Thanks for the report. The value of the isAdmin flag on the front end would allow you to see the pages, but the APIs would still return empty information rendering the attack fairly pointless. We don’t read or trust the value of isAdmin from the front end when calculating the information to return to the front end for display or manipulation. We use that flag in the front end to change which pages are made visible on the UI, and turn off admin-only controls that would simply fail for a non-admin user. Yes, they’d get to see the admin pages if they change this variable, but they wouldn’t get access to anything they wouldn’t see already. As in, they don’t actually gain admin access. Ergo, I’m not convinced that this attack is meaningful. Can you please help me understand if this allows for data access beyond what the user is intended to be able to see?

That said, the cross-site scripting issue should be fixed anyway as it could allow for manipulation of the page where you don’t want it to. 

Thanks,
 — Justin

> On Jan 14, 2020, at 2:18 PM, Aaron Bishop <aaron at securitymetrics.com> wrote:
> 
> Hello,
> 
> I reported a  Cross-Site Scripting <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521> issue, which has been assigned CVE-2020-5497, affecting OpenID but withheld publicly reporting a related issue.  A user can purposefully conduct the Cross-Site Scripting attack against themselves to force the isAdmin check to return true.  The isAdmin call is used by several pages to view page content.  This would allow a low privileged user to view pages such as Scope, Whitelist, Clients, etc.  This issue was assigned CVE-2020-5498 but has not been published. Let me know if you need more information.
> 
> Best regards,
> 
> AARON BISHOP | Principal Penetration Tester
> 
> CISSP, OSCP, OSWE
> 
> P:801.995.6999
> 
> 
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20200117/87ed379f/attachment-0001.html

More information about the mitreid-connect mailing list