Unsafe plugins can be installed via pack import by tenant admins

Summary

Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables

Details

I have an example https://bot20230704.saltcorn.com/view/all_plugins It's publicly accessible (but has not so secure values except list of tenants). But using this mech one can read any data from other tenants.

Impact

All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants

Published: Jul 27, 2023
Updated: Jul 28, 2023
GHSA: GHSA-wxf3-4fvj-vqqx
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@saltcorn / cli	-	1.0

https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191
https://github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab
https://github.com/saltcorn/saltcorn/pull/1973
https://github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx

Vulnerability Database

289,599

Unsafe plugins can be installed via pack import by tenant admins

Summary

Details

Impact