OneUptime Authorization Bypass Vulnerability Leading to Cross-Tenant Data Exposure and Account Takeover

An authorization bypass vulnerability has been identified in OneUptime versions prior to 10.0.21. This issue allows low-privileged users to bypass authorization and tenant isolation by sending a forged 'is-multi-tenant-query' header along with a controlled 'projectid' header. The server's trust in these client-supplied headers enables attackers to skip internal permission checks and disable tenant scoping, resulting in unauthorized access to project data from other tenants. Exploitation of this vulnerability allows attackers to read sensitive user information through nested relations, leak plaintext reset password tokens, and reset victims' passwords, leading to full account takeover.

Impact

Exploitation of this vulnerability allows for cross-tenant data exposure and full account takeover on the affected OneUptime instance.

Reproduction

To reproduce this vulnerability, a local OneUptime v10.0.20 instance is needed, along with two normal accounts: one for the attacker and one for the victim. The attacker must send a request to the API project get-list endpoint, including the 'is-multi-tenant-query' header set to true, the 'projectid' header with a value corresponding to a project they own, and a query selecting sensitive user fields from the victim's project. This request will bypass authorization checks and tenant isolation, allowing the attacker to access and exploit the victim's data.

Remediation

Users can update to OneUptime version 10.0.21 to address this vulnerability.