OpenFlagr Authentication Bypass Vulnerability in HTTP Middleware
Vulnerability
A vulnerability allowing authentication bypass has been identified in OpenFlagr versions through 1.1.18. This issue arises from improper path normalization in the whitelist logic of the HTTP middleware, enabling crafted requests to bypass authentication and access protected API endpoints without valid credentials. Exploitation of this vulnerability could lead to unauthorized modification of feature flags and the export of sensitive data.
Impact
Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to protected API endpoints. This access can be used to modify feature flags, export sensitive data, and perform CRUD operations over various internal resources, according to the OpenFlagr API documentation.
Reproduction
The vulnerability can be reproduced by sending a request to a whitelisted API endpoint that is prefixed in the Basic Authentication whitelist paths. The request can include a path traversal sequence to bypass authentication checks. Once the authentication bypass is achieved, access to the '/export/sqlite' route can be gained, which allows dumping the database.
Remediation
Users are advised to update to OpenFlagr version 1.1.19 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.