wger Workout Manager User-Scope Cache Key Vulnerability in Routine API Endpoints

A vulnerability exists in wger Workout Manager versions through 2.4, where five routine detail action endpoints use cache keys that are only scoped by primary key (PK) without including user IDs. This allows an attacker to access cached responses of routine details from other users, bypassing ownership checks. The issue arises because the cache can be exploited after a victim has accessed their routine via the API, leaving a cache entry that can be retrieved by an attacker for the same PK.

Impact

Exploitation of this vulnerability allows for unauthorized access to another user's routine details, including workout sequences, exercise structures, training logs, and statistics, all retrieved from the cache without proper ownership verification.

Reproduction

To reproduce this vulnerability, first, have a victim (User A) access one of the affected routine API endpoints, such as 'GET /api/v2/routine/5/structure/'. This action will cache the response under a key that does not include the user ID. After this cache entry is created, an attacker (User B) can request the same endpoint 'GET /api/v2/routine/5/structure/' and receive User A's cached routine details without any ownership check.

Remediation

Users can update to the latest version of wger, where this vulnerability has been addressed. Instructions for updating can be found in the wger documentation.