No RBAC Validation on API Requests (User Management)

Disclosed by
LiamStrang
  • Engagement Undisclosed
  • Disclosed date 8 months ago
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by customer

The Abnormal Security API endpoint /v1.0/rbac/users_v2/{USER_ID}/ permits authenticated users to modify user attributes, including their roles and associated permissions.

However, the API fails to adequately verify if the requesting user possesses the necessary privileges to alter the role of the target user.

As a result, a user with a lower administrative role (e.g., Portal Tenant Admin) can successfully downgrade the role of a user with a higher administrative role (e.g., Portal Global Admin) by sending a specifically crafted PUT request to the aforementioned endpoint.

NOTE: It is not possible to elevate permissions, the proper validation is in place.

Summary by LiamStrang

The Abnormal Security API endpoint /v1.0/rbac/users_v2/{USER_ID}/ permits authenticated users to modify user attributes, including their roles and associated permissions.

However, the API fails to adequately verify if the requesting user possesses the necessary privileges to alter the role of the target user.

As a result, a user with a lower administrative role (e.g., Portal Tenant Admin) can successfully downgrade the role of a user with a higher administrative role (e.g., Portal Global Admin) by sending a specifically crafted PUT request to the aforementioned endpoint.

Activity