Tandoor Recipes Batch Update Endpoint Vulnerability Allows Unauthorized Access to Private Recipes

A vulnerability in Tandoor Recipes prior to version 2.6.4 allows authenticated users within a Space to use the PUT /api/recipe/batch_update/ endpoint to modify any recipe, including those marked as private by other users. This issue arises because the batch update function bypasses object-level authorization checks, enabling the unauthorized exposure of private recipes, self-granting of access to shared recipes, and tampering with recipe metadata. The vulnerability is rooted in the Django REST Framework's handling of batch updates, which do not enforce the same permission checks as individual recipe updates.

Impact

Exploitation of this vulnerability allows for the unauthorized modification of recipes, including private ones, within the same Space. Users can expose private recipes, manipulate access rights, alter recipe metadata, and revoke access from other users.

Reproduction

To reproduce this vulnerability, an authenticated user in a Space can send a PUT request to the /api/recipe/batch_update/ endpoint. The request must include the IDs of the recipes to be updated, along with any desired changes such as toggling the 'private' visibility setting or modifying the 'shared' access list. The absence of object-level permission checks on this endpoint allows the user to alter recipes owned by others, including those that are private.

Remediation

Users can update to Tandoor Recipes version 2.6.4 or later, where this vulnerability has been fixed.