Onyx Enterprise Edition Authorization Bypass Vulnerability in User Group Management API

A vulnerability allowing authorization bypass has been identified in Onyx Enterprise Edition version 0.27.0. This issue arises in the group management API, where curators are supposed to manage only the groups they are assigned to. However, the PATCH endpoint for user group management fails to validate permissions, allowing curators to modify any user group arbitrarily. The vulnerability is rooted in the 'update_user_group' function, which does not check if the authenticated user has the right to alter a specific group, thereby enabling unauthorized access and manipulation.

Impact

Exploitation of this vulnerability allows curators to modify any user group, including admin-only groups, thereby bypassing intended access controls and potentially leading to unauthorized access to sensitive information and functionalities.

Reproduction

To reproduce this vulnerability, first enable the Enterprise Edition features in Onyx. After setting up the application, create an admin user and a second user with basic permissions. Then, create two groups: 'RESTRICTED_GROUP' and 'PERMITTED_GROUP'. Add the admin user to 'RESTRICTED_GROUP' and the basic user to 'PERMITTED_GROUP', granting them curator rights for that group only. With this setup, the vulnerability can be exploited by sending a PATCH request to the user group management endpoint, targeting 'RESTRICTED_GROUP' with the curator's authentication token. This will result in the unauthorized modification of group assignments, confirming the bypass of access controls.

Remediation

The vulnerability has been addressed in a recent commit by adding the necessary authorization checks to the group management API. Users should update to the latest version of Onyx Enterprise Edition to mitigate this vulnerability.