Canonical LXD Improper Authorization Vulnerability in Certificate Enumeration

A vulnerability in Canonical LXD version 6.6 allows authenticated, restricted users to improperly authorize and enumerate all certificate fingerprints trusted by the LXD server. This issue arises in the API endpoint GET /1.0/certificates, where the non-recursive listing bypasses necessary authorization checks, exposing the full set of trusted identities in the LXD deployment.

Impact

Exploitation of this vulnerability allows restricted users to bypass authorization controls and access a complete list of certificate fingerprints, which can be used to identify trusted certificates for inter-cluster communication and administrative tasks. This also undermines fine-grained role-based access controls by exposing information that should be restricted.

Reproduction

To reproduce this vulnerability, an authenticated user with restricted permissions can send a GET request to the /1.0/certificates endpoint without the recursion parameter. This will return an unfiltered list of all certificate fingerprints. In contrast, sending a request with the recursion parameter will only return the fingerprints of certificates the user is authorized to view, demonstrating the authorization bypass.

Remediation

Users can upgrade to Canonical LXD version 6.7, where this vulnerability has been patched.