Ash-Project Ash Authentication Bypass Vulnerability

An incorrect authorization vulnerability has been identified in the Ash framework, specifically in versions 3.6.3 prior to 3.7.1. This vulnerability allows authentication bypass by improperly authorizing requests based on bypass policies. The issue arises when a bypass policy's condition evaluates to true, but its authorization check fails, and no other policies apply. As a result, resources can be accessed without proper authorization.

Impact

Exploitation of this vulnerability allows unauthorized access to resources by bypassing established authorization policies, potentially leading to unauthorized actions or data access.

Reproduction

The vulnerability can be reproduced by creating a policy that includes a bypass condition set to true, while the corresponding authorization check fails. This can be done by using the 'bypass always()' policy in conjunction with an authorization check that evaluates to false, such as 'actor_attribute_equals(:is_admin, false)'. When this policy combination is applied, the framework incorrectly authorizes the action by relying solely on the bypass condition, despite the authorization check failing.

Remediation

Users can upgrade to Ash version 3.7.1, where this vulnerability has been patched.