Impact
Privilege Escalation via user permissions. Users in an existing group with "maintainer" permissions are permitted to add user to group - but this group addition is not limited to their permission - i.e. a user can add someone (or readd themselves) as an "owner" to the group, and benefit from any additional permissions.
Additionally, when a new group is created, a user is assigned the owner role within this new group. The permission of adding a group to a project was maintainer. This allowed users with the role of maintainer to add groups to projects, which would allow a user with maintainer to elevate their permission to owner by simply creating a new group and assigning the group to the project they are maintainer of. This has also been changed to owner role.
Patches
The permission level required to add user to a group has been set at "owner" or above in Lagoon v2.15.2
The permission level required to add groups to project has been set at "owner" or above in Lagoon v2.15.2
Workarounds
Keycloak administrators can modify the keycloak permission directly at
{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add User to Group" and select the "[Lagoon] Users role for group is Owner" policy to apply, remove the existing "maintainer" one, and save.
{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add Groups to Project" and select the "[Lagoon] Users role for project is Owner" policy to apply, remove the existing "maintainer" one, and save. (This permission also has a secondary policy of [Lagoon] User has access to project which should remain.
References
Are there any links users can visit to find out more?
shreddedbacon Remediation developer
Impact
Privilege Escalation via user permissions. Users in an existing group with "maintainer" permissions are permitted to
add user to group- but this group addition is not limited to their permission - i.e. a user can add someone (or readd themselves) as an "owner" to the group, and benefit from any additional permissions.Additionally, when a new group is created, a user is assigned the owner role within this new group. The permission of adding a group to a project was maintainer. This allowed users with the role of maintainer to add groups to projects, which would allow a user with maintainer to elevate their permission to owner by simply creating a new group and assigning the group to the project they are maintainer of. This has also been changed to owner role.
Patches
The permission level required to
add user to a grouphas been set at "owner" or above in Lagoon v2.15.2The permission level required to
add groups to projecthas been set at "owner" or above in Lagoon v2.15.2Workarounds
Keycloak administrators can modify the keycloak permission directly at
{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add User to Group" and select the "[Lagoon] Users role for group is Owner" policy to apply, remove the existing "maintainer" one, and save.
{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add Groups to Project" and select the "[Lagoon] Users role for project is Owner" policy to apply, remove the existing "maintainer" one, and save. (This permission also has a secondary policy of
[Lagoon] User has access to projectwhich should remain.References
Are there any links users can visit to find out more?