{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/avo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["avo"],"_cs_severities":["high"],"_cs_tags":["broken-access-control","privilege-escalation","ruby"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eA critical broken access control vulnerability exists within the Avo framework, specifically affecting version 3.x. This vulnerability resides in the \u003ccode\u003eActionsController\u003c/code\u003e and stems from an insecure action lookup mechanism. An authenticated user, regardless of their privilege level, can execute any Action class (descendants of \u003ccode\u003eAvo::BaseAction\u003c/code\u003e) on any resource within the application. This occurs because the system fails to validate whether the requested action is legitimately registered or permitted for the resource context specified in the request. The absence of this verification allows for the circumvention of intended resource-action mappings. Successful exploitation leads to privilege escalation, unauthorized data manipulation, and potential compromise of the application\u0026rsquo;s integrity. It is recommended to upgrade to version 3.31.2 or later, which addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Avo admin panel with low-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a sensitive action class, such as \u003ccode\u003eAvo::Actions::ToggleAdmin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target record ID, such as a user ID they wish to manipulate.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to a resource endpoint where the target action is NOT registered (e.g., \u003ccode\u003e/admin/resources/posts/actions\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes a payload containing the \u003ccode\u003eaction_id\u003c/code\u003e parameter set to the sensitive action class (\u003ccode\u003eAvo::Actions::ToggleAdmin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request also includes a \u003ccode\u003efields[avo_resource_ids]\u003c/code\u003e parameter set to the target record ID.\u003c/li\u003e\n\u003cli\u003eDue to the insecure action lookup in \u003ccode\u003eAvo::ActionsController\u003c/code\u003e, the server executes the \u003ccode\u003eToggleAdmin\u003c/code\u003e action on the specified user ID.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s privileges are escalated, or unauthorized data manipulation occurs due to the successful execution of the unintended action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of this broken access control vulnerability can have severe consequences. A successful attack can lead to privilege escalation, allowing attackers to gain administrative control over the application. Unauthorized operations can be performed, leading to data breaches or data manipulation. Sensitive actions designed for restricted resources can be triggered against any record ID, potentially compromising the integrity and confidentiality of data. The impact includes unauthorized deletion, archival, or updates to records, causing reputational damage and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Avo version 3.31.2 or later, which contains the necessary fix to restrict action lookup to registered actions for the current resource context.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Avo Unauthorized Action Execution\u003c/code\u003e to monitor for attempts to execute actions on resources where they are not registered.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Avo action registrations to ensure that actions are appropriately mapped to resources within the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-avo-broken-access-control/","summary":"Avo framework version 3.x contains a critical Broken Access Control vulnerability in the ActionsController. Due to insecure action lookup logic, an authenticated user can execute any Action class on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. Version 3.31.2 remediates this issue.","title":"Avo Framework Broken Access Control Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-avo-broken-access-control/"}],"language":"en","title":"CraftedSignal Threat Feed — Avo","version":"https://jsonfeed.org/version/1.1"}