InvenTree Plugin Installation Vulnerability for Staff Users

A vulnerability in InvenTree, an open-source inventory management system, allows users with staff access to install plugins via the API without needing superuser privileges. This issue exists in versions prior to 1.2.7 and 1.3.0. The permission requirement for plugin installation is inconsistent with other plugin management actions, such as uninstallation, which do require superuser access. As a result, staff users, who are considered less trusted than superusers, can install arbitrary plugins that could be potentially harmful.

Impact

The vulnerability could be exploited by staff users to install malicious plugins that might overwrite or delete files on the server, bypass security checks, or access sensitive information. Additionally, such plugins could be used to manipulate the InvenTree database or environment variables accessible to the server and worker processes.

Remediation

Users can update to InvenTree versions 1.2.7 or 1.3.0, both of which require superuser access for plugin installation. Alternatively, InvenTree administrators can disable plugin support entirely or prevent runtime plugin installations via specific environment variables.