Gin-Vue-Admin Authentication Bypass Vulnerability Allowing Unauthorized User Privilege Escalation

An authentication bypass vulnerability has been identified in Gin-Vue-Admin, a management system built with Vue and Gin. This vulnerability exists in versions prior to 2.4.7, where low-privilege users can modify the information of higher-privilege users. The issue arises because the 'setUserInfo' function lacks proper authentication, allowing unauthorized changes to user data. Exploitation involves using a low-privilege account to alter usernames, nicknames, and even passwords of administrators.

Impact

Exploitation of this vulnerability allows low-privilege users to gain unauthorized access to administrative accounts by changing usernames and passwords, potentially leading to further privilege escalation.

Reproduction

To reproduce this vulnerability, log in with a low-privilege user account. Use the 'setUserInfo' API endpoint to modify the user information of an administrator account, including the username and password. This can be done by sending a PUT request with the desired changes, using the low-privilege user's token for authentication.

Remediation

Users are advised to update Gin-Vue-Admin to version 2.4.7 or later, where this vulnerability has been patched.