Lablup BackendAI Missing Authentication Vulnerability in Registration Feature Allows Unauthorized Account Creation
Vulnerability
A vulnerability exists in Lablup's BackendAI registration feature, where missing authentication allows arbitrary users to create accounts that can access private data, even when registration is supposed to be disabled. This issue is present in all versions of BackendAI.
Impact
Exploitation of this vulnerability allows unauthorized users to create accounts that can access sensitive information, such as the user's email, access key, and session settings. This access could lead to account takeover, with the potential to gain super administrator privileges.
Reproduction
To reproduce this vulnerability, attempt to register a new user account through the BackendAI registration feature. Despite registration being disabled, the absence of proper authentication allows the creation of accounts that can access private data.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.