CVE-2023-0759 - Privilege Chaining

Severity

88%

Complexity

27%

Confidentiality

98%

Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Demo Examples

Privilege Chaining

CWE-268

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.


               
}
ADMIN,OPERATOR,USER,GUEST

                     
}

                           
}

                                 
}
break;
break;
break;
System.out.println("You must be logged in to perform this command");

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

Overview

First reported 2 years ago

2023-02-09 14:15:00

Last updated 2 years ago

2023-02-16 14:44:00

Affected Software

Agentejo Cockpit

References

https://github.com/cockpit-hq/cockpit/commit/78d6ed3bf093ee11356ba66320c628c727068714

https://huntr.dev/bounties/49e2cccc-bb56-4633-ba6a-b3803e251347

https://github.com/cockpit-hq/cockpit/commit/78d6ed3bf093ee11356ba66320c628c727068714

Patch

https://huntr.dev/bounties/49e2cccc-bb56-4633-ba6a-b3803e251347

Exploit, Issue Tracking, Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.