Frigate Network Video Recorder Broken Access Control Vulnerability Allowing Account Deletion
Vulnerability
A broken access control vulnerability has been identified in Frigate, a network video recorder (NVR) application, in versions through 0.16.2. This vulnerability allows users with the viewer role to delete admin and low-privileged user accounts. The exploitation of this issue can lead to a denial-of-service condition and negatively impact data integrity. The vulnerability has been patched in version 0.16.3.
Impact
Exploitation of this vulnerability can cause a denial-of-service condition and disrupt data integrity by allowing unauthorized deletion of user accounts.
Reproduction
To reproduce this vulnerability, log into Frigate as a user with the viewer role. Send a DELETE request to the endpoint '/api/users/admin' to remove an admin user account. This action can be performed without authentication, demonstrating the broken access control.
Remediation
Users are advised to update Frigate to version 0.16.3, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.