LavinMQ Policy Bypass Vulnerability Allowing Unauthorized Vhost Message Access

A vulnerability in LavinMQ prior to version 2.6.8 allows authenticated users with the 'Policymaker' tag to create shovels that bypass access controls. This exploitation enables them to read messages from unauthorized virtual hosts or publish messages to those vhosts. The issue arises from inadequate validation of shovel configurations, particularly concerning source and destination permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized message access and manipulation across virtual hosts, violating intended access controls.

Reproduction

To reproduce this vulnerability, an authenticated user with the 'Policymaker' tag can create a shovel through the Management API. The shovel can be configured to source messages from a vhost the user does not have permission to access, or to deliver messages to a vhost with similar restrictions. This can be done by uploading a shovel configuration that specifies the unauthorized vhosts, effectively circumventing access controls.

Remediation

Users are advised to upgrade to LavinMQ version 2.6.8 or later. If an immediate upgrade is not possible, management API access should be restricted to trusted administrators. Additionally, WAF or reverse proxy rules can be applied to block POST requests to the '/api/definitions/*' endpoint and PUT requests to the '/api/parameters/shovel/*' endpoints. It is also recommended to review and minimize the number of users with management tags.