{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/saltcorn-data/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Saltcorn Data"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","cloud"],"_cs_type":"advisory","_cs_vendors":["Saltcorn"],"content_html":"\u003cp\u003eA privilege escalation vulnerability exists in Saltcorn Data, affecting versions prior to 1.4.4, versions between 1.5.0-beta.0 and 1.5.2, and versions between 1.6.0-alpha.0 and 1.6.0-beta.2. The vulnerability allows tenant administrators, who are logged out of the root domain but authenticated within their own tenant space, to create new tenants within the root domain\u0026rsquo;s database schema. This occurs because the system incorrectly evaluates the tenant\u0026rsquo;s role within the context of the root domain during tenant creation. By appending \u003ccode\u003e/tenant/create\u003c/code\u003e to their tenant URL, a tenant admin with sufficient privileges in their tenant can bypass root domain restrictions and create subtenants in the root domain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to their assigned tenant with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker logs out of the root domain (e.g., \u003ccode\u003esaltcorn.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the tenant-specific URL, where they have admin rights.\u003c/li\u003e\n\u003cli\u003eAttacker appends \u003ccode\u003e/tenant/create\u003c/code\u003e to the tenant URL (e.g., \u003ccode\u003etenant.saltcorn.com/tenant/create\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application evaluates the user\u0026rsquo;s role in the context of the tenant (admin role).\u003c/li\u003e\n\u003cli\u003eThe application then attempts to create a new tenant but incorrectly does so under the root domain\u0026rsquo;s \u003ccode\u003e_sc_tenants\u003c/code\u003e schema instead of the tenant\u0026rsquo;s.\u003c/li\u003e\n\u003cli\u003eThe new tenant is created in the root domain (PUBLIC SCHEMA \u0026gt; \u003ccode\u003e_sc_tenants\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker effectively gains the ability to create tenants in the root domain, escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants tenant administrators unauthorized admin-level access to the root domain of the Saltcorn Data instance. This could lead to unauthorized modification or deletion of data within the root domain, disruption of service for all tenants hosted on the instance, and potential further escalation of privileges within the system. The advisory does not state specific victim counts or sectors targeted, but the impact is significant due to the potential for widespread disruption and data compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Saltcorn Data to a patched version (\u0026gt;= 1.4.4, \u0026gt;= 1.5.2, or \u0026gt;= 1.6.0-beta.2) to remediate the vulnerability (reference: Affected Packages).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/tenant/create\u003c/code\u003e endpoint originating from tenant administrator sessions to detect potential exploitation attempts (reference: Sigma rule \u003ccode\u003eDetect Saltcorn Unauthorized Tenant Creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement additional server-side validation to ensure tenant creation requests are properly scoped to the originating tenant\u0026rsquo;s schema (reference: advisory summary).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-saltcorn-tenant-creation-vuln/","summary":"A vulnerability in Saltcorn Data allows tenant admins to gain unauthorized admin-level access to the root domain by creating tenants in the root domain's schema instead of their own.","title":"Saltcorn Data Tenant Admin Privilege Escalation via Tenant Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-saltcorn-tenant-creation-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Saltcorn Data","version":"https://jsonfeed.org/version/1.1"}