shsuishang ShopSuite ModulithShop Path Traversal Vulnerability in JwtAuthenticationFilter Allowing Privilege Escalation

A vertical privilege escalation vulnerability has been identified in shsuishang ShopSuite ModulithShop versions through 45a99398cec3b7ad7ff9383694f0b53339f2d35a. The issue arises in the JwtAuthenticationFilter, where improper path normalization allows authenticated low-privileged users to bypass authorization checks and gain access to administrative endpoints that lack proper security annotations. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows authenticated users to escalate privileges to an administrative level, bypassing authorization checks and gaining access to sensitive administrative functions and endpoints.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to an administrative endpoint using the Jwt authentication filter. The request should include path traversal sequences to manipulate the request URI. This can be done by prepending the traversal sequences to the URI of the targeted endpoint. The Jwt filter will fail to load the necessary administrative permissions, while the request will still be correctly routed to the intended controller.

Remediation

To address this vulnerability, the path detection logic in the JwtAuthenticationFilter should be updated to use the getServletPath() method for proper normalization. Additionally, missing authorization annotations should be added to all sensitive endpoints in the MenuBaseController.