Inforcer Platform Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Inforcer Platform API, specifically in version 2.0.153. This vulnerability allows authenticated users with low privileges to access and enumerate tenant information from other clients by simply modifying the tenant ID in the request URL. The affected API endpoint is '/tenants/{id}', which lacks proper authorization checks, enabling unauthorized access to sensitive data such as tenant identifiers, DNS names, application IDs, and notification email addresses. This cross-tenant data exposure undermines confidentiality and breaches isolation guarantees in a multi-tenant environment.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive tenant information belonging to other clients, including tenant identifiers, DNS names, application IDs, and notification email addresses. Such data exposure could facilitate targeted attacks, social engineering, or further compromise of the affected tenants.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a request to the '/tenants/{id}' API endpoint. By modifying the tenant ID in the request URL to a valid numeric ID belonging to another client, the user can access that client's tenant details. The response will include sensitive information such as the clientTenantId, dnsName, applicationId, and notificationAddress.

Remediation

Inforcer has released a hot patch to address this vulnerability. Users should ensure they are using the patched version.