{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/aegra-api/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["aegra-api","aegra"],"_cs_severities":["high"],"_cs_tags":["idor","privilege-escalation","credential-access","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Aegra"],"content_html":"\u003cp\u003eA cross-tenant IDOR vulnerability affects Aegra deployments running versions 0.9.0 through 0.9.6 where multiple authenticated users share an instance. An authenticated user (User A) can exploit this by leveraging another user\u0026rsquo;s \u003ccode\u003ethread_id\u003c/code\u003e (User B) to perform unauthorized actions. User A can execute graph runs against User B\u0026rsquo;s thread, read User B\u0026rsquo;s full checkpoint state, inject arbitrary messages into User B\u0026rsquo;s conversation history, and hide their activity from User B\u0026rsquo;s \u003ccode\u003eGET /threads/{thread_id}/runs\u003c/code\u003e listing. The issue arises because the run carries A\u0026rsquo;s \u003ccode\u003euser_id\u003c/code\u003e, not B\u0026rsquo;s. The streaming variant of the run creation endpoints exacerbates the vulnerability by returning the entire prior \u003ccode\u003emessages\u003c/code\u003e array immediately upon connection, without requiring graph execution. This vulnerability was discovered by @JoJoTheBizarre and resolved in version 0.9.7.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser A authenticates to the Aegra application.\u003c/li\u003e\n\u003cli\u003eUser A obtains User B\u0026rsquo;s \u003ccode\u003ethread_id\u003c/code\u003e through frontend URLs, server logs, observability traces, or shared links.\u003c/li\u003e\n\u003cli\u003eUser A crafts a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/threads/{thread_id}/runs\u003c/code\u003e, \u003ccode\u003e/threads/{thread_id}/runs/stream\u003c/code\u003e, or \u003ccode\u003e/threads/{thread_id}/runs/wait\u003c/code\u003e, replacing \u003ccode\u003e{thread_id}\u003c/code\u003e with User B\u0026rsquo;s \u003ccode\u003ethread_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Aegra application fails to validate that User A owns the target \u003ccode\u003ethread_id\u003c/code\u003e due to a missing \u003ccode\u003euser_id\u003c/code\u003e filter at the SQL layer.\u003c/li\u003e\n\u003cli\u003eThe request executes a graph run within User B\u0026rsquo;s thread context, using User A\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eUser A reads User B\u0026rsquo;s full checkpoint state via the resulting run\u0026rsquo;s \u003ccode\u003eoutput\u003c/code\u003e field (or via SSE events in the streaming variant).\u003c/li\u003e\n\u003cli\u003eUser A injects arbitrary messages into User B\u0026rsquo;s conversation history, which are then persisted in User B\u0026rsquo;s checkpoint.\u003c/li\u003e\n\u003cli\u003eUser A\u0026rsquo;s actions are hidden from User B\u0026rsquo;s thread run listing because the run is associated with User A\u0026rsquo;s \u003ccode\u003euser_id\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code within another user\u0026rsquo;s context, potentially leading to data exfiltration, modification of user data, and disruption of service. With multiple authenticated users on a shared instance, any user can read the full checkpoint state or inject arbitrary messages into another user\u0026rsquo;s conversation history. If streaming is enabled the attacker can read the full conversation history without further steps.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Aegra deployments to version 0.9.7 or later to address the vulnerability as per the patch notes.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement the workaround by registering an \u003ccode\u003e@auth.on(\u0026quot;threads\u0026quot;, \u0026quot;create_run\u0026quot;)\u003c/code\u003e handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation, as detailed in the workaround section.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003ePOST\u003c/code\u003e requests to the affected endpoints (\u003ccode\u003e/threads/{thread_id}/runs\u003c/code\u003e, \u003ccode\u003e/threads/{thread_id}/runs/stream\u003c/code\u003e, \u003ccode\u003e/threads/{thread_id}/runs/wait\u003c/code\u003e) originating from unexpected IP addresses using the Sigma rule \u0026ldquo;Detect Aegra Cross-Tenant IDOR Attempt\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-aegra-idor/","summary":"Aegra versions 0.9.0 through 0.9.6 are vulnerable to a cross-tenant IDOR, enabling authenticated users to execute graph runs against other users' threads, read checkpoint states, inject messages, and conceal their actions due to missing user ID validation on run creation endpoints; patched in version 0.9.7.","title":"Aegra Cross-Tenant IDOR in Thread Run Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-aegra-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Aegra-Api","version":"https://jsonfeed.org/version/1.1"}