Frigate Cross-Camera Snapshot Access Vulnerability

A vulnerability in Frigate version 0.17.0 allows low-privilege authenticated users to access snapshots from unauthorized cameras. This issue arises from two authorization flaws: first, the '/api/timeline' endpoint improperly includes entries from cameras outside the user's permissions; second, the '/api/events/{event_id}/snapshot-clean.webp' endpoint, while declaring a camera access requirement, fails to validate the camera associated with the event. As a result, restricted users can enumerate event IDs from other cameras and retrieve snapshots for those events.

Impact

Exploitation of this vulnerability allows restricted users to access and download snapshots from cameras they are not authorized to view, violating cross-camera confidentiality.

Reproduction

To reproduce this vulnerability, an authenticated user with access to only one camera can request timeline entries from another camera via the '/api/timeline' endpoint. The response will include unauthorized event IDs. These event IDs can then be used to request snapshots from the '/api/events/{event_id}/snapshot-clean.webp' endpoint, successfully retrieving images from the other camera.

Remediation

Users can update to Frigate version 0.17.1 or later, where this vulnerability has been fixed.