Frigate Network Video Recorder Broken Access Control Vulnerability Allowing Sensitive Configuration Disclosure

A broken access control vulnerability has been identified in Frigate, a network video recorder, in version 0.17.0. This issue allows authenticated non-admin users to access the full raw Frigate configuration through the '/api/config/raw' endpoint. The raw configuration includes sensitive information such as camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and other secrets stored in 'config.yml'. The vulnerability was introduced by an admin-by-default API refactor, which mistakenly left '/api/config/raw' accessible to low-privilege authenticated users while restricting similar endpoints to admin users only.

Impact

Exploitation of this vulnerability allows low-privilege authenticated users to access unredacted deployment secrets from the Frigate configuration. This could lead to unauthorized access to connected systems or services, including RTSP or camera credentials, go2rtc stream credentials, MQTT credentials, proxy authentication secrets, and integration URLs and tokens stored in the config. The disclosure of such sensitive information could facilitate further compromises of connected cameras and infrastructure.

Reproduction

To reproduce this vulnerability, authenticate as a non-admin user and send a request to the '/api/config/raw' endpoint, including an authorization bearer token for a low-privilege account. The response will contain the full unredacted 'config.yml', exposing sensitive credentials and secrets.

Remediation

Users are advised to update to Frigate version 0.17.1 or later, where this vulnerability has been patched. In version 0.17.1, the '/api/config/raw' endpoint has been restricted to admin users only.