DigitalOcean Do-Markdownit Incorrect Access Control Vulnerability in Callout and Fence Environment Plugins
Vulnerability
A vulnerability allowing authorization bypass has been identified in the @digitalocean/do-markdownit package, specifically in versions through 1.16.1. The issue arises in the callout and fence_environment plugins, which improperly handle substring matching when the allowedClasses or allowedEnvironments parameters are provided as strings instead of arrays. This flaw enables attackers to circumvent restrictions and inject unauthorized classes or environments, potentially leading to privilege escalation.
Impact
Exploitation of this vulnerability allows for authorization bypass and could lead to privilege escalation, as demonstrated in a proof-of-concept that bypasses admin restrictions and accesses a production environment.
Reproduction
The vulnerability can be reproduced by installing the @digitalocean/do-markdownit package and configuring the callout and fence_environment plugins with misconfigured allow-lists that are strings instead of arrays. Once set up, the plugins will incorrectly apply substring matching, allowing for the injection of unauthorized classes or environments. This exploitation can be automated with a Node.js script or through an Express web application that simulates a real-world environment.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.