Lablup BackendAI Sensitive Data Exposure Vulnerability Allowing Account Takeover
Vulnerability
A vulnerability in Lablup's BackendAI allows attackers to access sensitive information from active sessions, including user credentials and session details. This data exposure can lead to unauthorized actions on behalf of the user, potentially granting super administrator privileges. The issue affects all versions of BackendAI.
Impact
Exploitation of this vulnerability could result in unauthorized access to user accounts, allowing attackers to perform actions on behalf of the user, with the possibility of gaining super administrator privileges.
Reproduction
To reproduce this vulnerability, start an interactive session with BackendAI's agent. The agent will write sensitive information, including the user's email, access key, and session settings, to a file in the home configuration directory. This file can be read by the default user, exposing the sensitive data.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.