InvenTree ORM Filter Injection Vulnerability Allowing Data Exfiltration

A vulnerability exists in InvenTree, an open-source inventory management system, prior to version 1.2.6. Certain API endpoints for bulk data operations can be exploited to exfiltrate sensitive information from the database. The affected endpoints, including '/api/part/', '/api/stock/', and '/api/order/so/allocation/', among others, accept a filters parameter that is directly passed to Django's ORM without proper validation. This lack of field allowlisting enables authenticated users to manipulate model relationships using Django's lookup syntax, facilitating unauthorized data extraction. This vulnerability has been patched in versions 1.2.6 and 1.3.0 and above.

Impact

Exploitation of this vulnerability allows authenticated users to perform blind boolean-based data extraction from the database, exfiltrating sensitive information through manipulated API requests.

Remediation

Users are advised to update to InvenTree version 1.2.6 or 1.3.0 and above, where this vulnerability has been patched. No known workarounds are available.