CVE-2023-38510: Unauthorized Access to Tolgee Localization Platform's Endpoints through API Key Bypass

Tolgee is a popular and effective open-source localization platform used by developers globally to manage translations in their applications. It has recently been discovered that a security vulnerability, dubbed "CVE-2023-38510" exists in some older versions of the platform (specifically, versions 3.14. through 3.23.).

This vulnerability relates to unauthorized access to certain endpoints in the platform's backend by bypassing permissions checks with exposed API keys. Consequently, this issue has the potential to compromise security and introduce unauthorized data access in affected projects. It is imperative to note that this issue affects only projects that have inadvertently exposed their API keys on the internet, while projects that have kept their API keys secure remain unaffected. The Tolgee team has addressed this issue in the latest version (3.23.1) of the platform.

Exploit Details

The vulnerability exists due to incorrect handling of permission verification associated with API keys by the Tolgee backend. As a result, the affected endpoints fail to perform permission checks, enabling unauthorized users to gain access to these protected resources simply by using an exposed API key.

Versions 3.14. through 3.23..

Projects that have inadvertently exposed their API keys are susceptible to unauthorized access, leading to potential security breaches.

To exploit this issue, an attacker needs an exposed API key from an affected project. With this key, they can send a request to access endpoints that are intended to be protected by permission checks, effectively bypassing the intended security measures in place.

Here's a sample code snippet of the exploit (using Python requests library)

import requests

API_KEY = 'your_exposed_api_key_here'
BASE_URL = 'https://your-tolgee-instance.com';
ENDPOINT = '/some/protected/endpoint'

headers = {'apikey': API_KEY}
response = requests.get(f'{BASE_URL}{ENDPOINT}', headers=headers)

if response.status_code == 200:
    print("Successfully accessed protected endpoint.")
else:
    print("Access denied.")

Original References

You can find the original references regarding CVE-2023-38510, detailing the issue and the patch, in these resources:
1. CVE-2023-38510 description on the CVE List.
2. Tolgee's official repository on GitHub.

To secure your Tolgee project against this vulnerability, undertake the following steps

1. Upgrade your Tolgee instance to version 3.23.1 or later. This version resolves the API key permission bypass issue.
2. Review and ensure that your project's API keys are securely stored and not exposed on the internet. Implement secure storage practices to prevent unauthorized access to your API keys.
3. Regularly audit your project's access logs to identify any instances of unauthorized access. This practice aids in the early detection and mitigation of potential security breaches.

Conclusion

In summary, CVE-2023-38510 is a security vulnerability affecting Tolgee localization platform versions 3.14. through 3.23.. It enables unauthorized users who obtain an exposed API key to bypass intended permission checks and access certain endpoints without proper authorization. Projects that securely store their API keys are not impacted by this vulnerability. Upgrading to Tolgee version 3.23.1 resolves the issue, and following secure key storage practices will help maintain the security of your project.

Timeline

Published on: 07/27/2023 19:15:00 UTC
Last modified on: 08/03/2023 13:41:00 UTC