CVE-2022-41799: Bypassing Access Restrictions in GROWI - A Deep Dive into the Improper Access Control Vulnerability, and Patches

A new vulnerability, CVE-2022-41799, was recently discovered in GROWI, a popular open-source team collaboration software. This vulnerability affects versions prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series). It is an improper access control issue that allows a remote authenticated attacker to bypass access restrictions and download the markdown data from pages set to private by other users.

In this post, we will explore the details of this vulnerability, including code snippets, original references, and exploit details. We will also discuss the steps to fix this issue and ensure that your GROWI software is secure.

Vulnerability Details

Improper access control vulnerability in GROWI allows an attacker to bypass the intended access restrictions on private pages. This means that a malicious user can download the markdown data, which may contain sensitive information, from private pages created by other users.

The actual exploitation of this vulnerability requires the attacker to be authenticated as a valid user within the GROWI application.

To better understand the nature of the vulnerability, let's dive into the relevant code snippets.

Code Snippets

The vulnerability lies in the access control mechanism of the GROWI application. Due to a lack of proper validation checks, authenticated users can misuse the "Export" functionality to download the markdown data of private pages.

The affected code can be found in the file "Page.js"

// Page.js
async download(data) {
  // some code here
  if (data.type === 'markdown') {
    ...
  }
  return res;
}

This code calls the download function for files of type 'markdown'. However, there is no access control check to ensure that the user has the right permissions to download the data.

Exploit Details

By exploiting this vulnerability, an attacker can craft an HTTPS request to the server to download the markdown data of a private page that belongs to another user. Here is an example of a malicious request:

GET /_api/v3/path/to/private/page.md

By sending this request, the attacker can download the markdown data of the private page located at "path/to/private/page". Ultimately, this exploit exposes sensitive information that should have been restricted to authorized users.

The original references to the vulnerability can be found on the following links

- CVE-2022-41799 Vulnerability Description

- GROWI Official Release Note for v5.1.4

- GROWI Official Release Note for v4.5.25

Patches and Remediation

The GROWI team has already released patches for this vulnerability. The affected users should upgrade their GROWI installations to the latest versions as follows:

For the v4 series: Upgrade to v4.5.25 or later.

After upgrading the GROWI software, the access control vulnerability will be fixed and the application should be protected from potential exploits.

Conclusion

CVE-2022-41799 is an improper access control vulnerability in GROWI, which allows remote authenticated attackers to bypass access restrictions and download the markdown data from private pages. This vulnerability affects versions prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series). Thankfully, this issue has been addressed by the GROWI team, and users can secure their installations by upgrading to the patched versions.

Timeline

Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/24/2022 17:20:00 UTC