Vikunja Link Sharing Hash Disclosure Vulnerability Allows Permission Escalation

A vulnerability in Vikunja's link sharing feature prior to version 2.2.2 allows authenticated users with read-only link shares to access sensitive information and escalate their permissions. The issue arises because the 'LinkSharing.ReadAll()' method improperly bypasses authorization checks, enabling access to secret hashes of other link shares within the same project. An attacker could exploit this to gain admin rights by authenticating with the leaked hash. This vulnerability affects Vikunja versions through 2.2.0.

Impact

Exploitation of this vulnerability allows for unauthorized permission escalation, enabling a user with a read-only link share to gain full admin access on the associated project. Additionally, it discloses all link share hashes for the project, which function as bearer tokens for authentication.

Reproduction

To reproduce this vulnerability, first authenticate with a read-only link share hash to obtain a JWT token. Then, use this token to access the 'ReadAll' endpoint for link shares on a project. This will return all link shares for the project, including their secret hashes. With the leaked hash of an admin link share, authenticate again to obtain an admin token, which can then be used to exercise admin privileges, such as deleting a project.

Remediation

Users can update to Vikunja version 2.2.2, which includes a complete fix for this vulnerability. Instructions for updating are available in the Vikunja documentation.