Mobile Security Framework Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Mobile Security Framework (MobSF) version 4.3.0. This issue arises because the application improperly manages user roles, allowing any registered user to obtain an API token with excessive privileges. The vulnerability can be exploited by authorized users to access restricted functionalities or information.

Impact

Exploitation of this vulnerability allows for unauthorized access to privileged actions or data, effectively escalating the user's rights within the application.

Reproduction

To reproduce this vulnerability, first create a user account with minimal privileges. After logging in with this account, navigate to the static analysis section of any application. Then, access the code review of the selected application, where the token with elevated privileges will be available in the response. This token can be used to retrieve dynamic analysis information that has not been accessed before, thereby escalating privileges.

Remediation

Users are advised to upgrade to version 4.3.1, where this vulnerability has been addressed.