Doorman Improper Access Control Vulnerability Allows Privilege Escalation
Vulnerability
A vulnerability in Doorman versions 0.1.0 and 1.0.2 allows authenticated users to change their account role to a non-admin privileged role. This is achieved by sending a request to the user update endpoint without the necessary permission check for self-updates. As a result, low-privileged users can escalate their privileges to higher roles.
Impact
Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to gain elevated rights within the application.
Reproduction
To reproduce this vulnerability, an authenticated user can send a PUT request to the /platform/user/{username} endpoint. The request must include a role value that corresponds to a non-admin privileged role. The update will be processed without checking for the manage_users permission, allowing the user to promote themselves to a higher role.
Remediation
Users can update to Doorman version 1.0.3 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.