Frigate Password Change Vulnerability in Network Video Recorder

A vulnerability in Frigate, a network video recorder (NVR) application, allows authenticated users to change their passwords without verifying the current password. This issue is present in versions prior to 0.17.0-beta1. The vulnerability arises because the password change endpoint does not require current password verification, and changes do not invalidate existing JWT tokens. Additionally, there is no enforcement of password strength, leaving accounts susceptible to brute-force attacks. Exploitation can occur if an attacker obtains a valid session token, such as through an exposed JWT, stolen cookie, cross-site scripting (XSS), a compromised device, or HTTP sniffing.

Impact

Exploitation of this vulnerability allows an attacker to change a victim's password and gain permanent control over their account. The failure to invalidate existing JWT tokens after a password change means that session hijacks can continue, even following a password reset. Furthermore, the absence of password strength requirements makes accounts vulnerable to brute-force attacks.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/users/{username}/password' endpoint, including a new password without providing the current password. This request can be made using a valid session token obtained through various means, such as an exposed JWT or a stolen cookie.

Remediation

Users are advised to update to Frigate version 0.17.0-beta1 or later, where this vulnerability has been addressed.