OpenViking Missing Authorization Vulnerability in Task Polling Endpoints
Vulnerability
A missing authorization vulnerability has been identified in OpenViking versions prior to 0.3.3. This vulnerability allows unauthorized attackers to access the task polling endpoints and retrieve metadata about background tasks created by other users. The affected endpoints, /api/v1/tasks and /api/v1/tasks/{task_id}, can be accessed without authentication, exposing sensitive information such as task types, statuses, resource identifiers, archive URIs, result payloads, and error details. This issue could lead to cross-tenant interference in multi-tenant deployments.
Impact
Exploitation of this vulnerability could result in unauthorized access to task metadata, allowing attackers to interfere with background tasks of other users, potentially leading to broader impacts in multi-tenant environments.
Reproduction
The vulnerability can be reproduced by sending unauthenticated requests to the /api/v1/tasks endpoint to list tasks, or to the /api/v1/tasks/{task_id} endpoint to retrieve specific task details. This can be done using tools like curl or Postman, or through a web browser.
Remediation
Users are advised to update to OpenViking version 0.3.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.