PlaciPy Placement Management System NoSQL Injection Vulnerability

A NoSQL injection vulnerability has been identified in PlaciPy version 1.0.0, a placement management system for educational institutions. The issue arises because user-controlled query parameters are directly passed into DynamoDB query and filter construction without proper validation or sanitization. This flaw allows for manipulation of filter expressions, potentially bypassing authorization and leading to unauthorized data access.

Impact

Exploitation of this vulnerability can bypass authorization checks, allowing unauthorized access to data. It also enables cross-tenant data exposure, unintended dataset enumeration, and could cause a denial-of-service by triggering expensive scan operations. Additionally, malformed queries could disclose sensitive information through error messages.

Remediation

To address this vulnerability, it is recommended to whitelist allowed query values, enforce strict schemas for filters, reject unknown or malformed parameters, use explicit ExpressionAttributeValues, and add limits on query complexity and pagination.