Vito Cross-Project Privilege Escalation Vulnerability in Workflow Site-Creation Actions

A cross-project privilege escalation vulnerability has been identified in Vito, a self-hosted web application for managing servers and deploying PHP applications. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allowed an authenticated attacker with workflow write access in one project to create and manage sites on servers belonging to other projects by supplying a foreign server ID. This issue has been patched in version 3.20.3.

Impact

Exploitation of this vulnerability allows for unauthorized cross-project actions, including creating sites on other projects' servers, triggering deployment and installation jobs on those servers, and modifying remote server configurations. Such actions could disrupt the integrity of the victim's managed infrastructure and potentially impact the confidentiality and availability of services.

Reproduction

To reproduce this vulnerability, an authenticated user with workflow write access in Project A can create a workflow that includes a site-creation action. By specifying a server ID from a server in Project B, the action can be executed, bypassing authorization checks and allowing modifications on the victim's server.

Remediation

Users are advised to update to Vito version 3.20.3, where this vulnerability has been fixed.