Discovered by
Suphawith Phusanbai
Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.
[VulnerabilityType Other]
Privilege Escalation
[Vendor of Product]
Ever
[Affected Product Code Base]
Traduora - 0.20.0 and below
[Affected Component]
JWT Authentication, Access Control in User Management API
[Attack Type]
Remote
[Impact Escalation of Privileges]
true
[Attack Vectors]
-
Create 2 accounts. One as a project admin and the another one as an unprivileged user
-
Login an unprivileged account to obtain JWT token
-
To exploit the vulnerability, i read API docs that are available on Swagger.
-
Access /api/v1/projects/ProjectID/users endpoint to reveal reveal all users.
-
Copy the project admin userID and go to jwt.io to craft a new JWT token using the signature as "secret" and modify userID to match the project admin in JSON data.
-
Access /api/v1/projects/5967c478-ee78-4406-9964-c2010e807fb1/users/c64b6896-9a73-4967-8fa5-58a0909f3341 endpoint to give the administrator privilege to an unprivileged user.
-
Exploited
[Reference]