Internet2 Grouper Loader Job Configuration Vulnerability for Non-Admin Group Managers

A vulnerability exists in Internet2 Grouper versions 5.17.1 prior to 5.20.5, allowing group administrators who are not Grouper sysadmins to configure loader jobs. This capability can be exploited to set attributes on groups, which will be applied the next time the daemon container is restarted or when scheduled manually.

Impact

Exploitation of this vulnerability could lead to unauthorized configuration of loader jobs, allowing non-admin group managers to manipulate group attributes inappropriately.

Reproduction

To reproduce this vulnerability, first ensure that you have ADMIN privileges on a group while not being a member of the sysadmin group. After confirming your admin rights, remove yourself from the sysadmin group and wait for any caches to clear. Then, navigate to the group where you hold admin privileges and create a SQL loader job using a non-functioning query. If the job saves successfully, the environment is affected. Once saved, the job can be scheduled either by manually triggering the 'Schedule jobs' action or by restarting the daemon.

Remediation

Upgrade to Internet2 Grouper version 5.20.5 or later. If upgrading is not possible, patch Grouper versions 5.17.1 to 5.20.2 by applying a specific loader hook available from the Internet2 software downloads. After applying the patch, remove the hook configuration from the grouper.properties file.