Vikunja SQL Operator Precedence Vulnerability Allows Unauthorized Label Access
Vulnerability
A vulnerability in Vikunja's task management platform prior to version 2.3.0 allows any authenticated user to access labels associated with tasks, regardless of project permissions. This issue stems from a SQL operator precedence error in the 'hasAccessToLabel' function, which improperly groups query conditions. As a result, labels with task associations can be accessed without the necessary project rights, leading to unauthorized exposure of label details such as titles, descriptions, colors, and creator information.
Impact
Exploitation of this vulnerability allows any authenticated user to read label metadata and creator information from any project, as long as the labels are attached to at least one task. This represents a cross-project information disclosure risk.
Reproduction
To reproduce this vulnerability, an authenticated user can request access to a label that is attached to a task in a private project. The 'hasAccessToLabel' function will incorrectly grant access due to the SQL query's lack of proper condition grouping, allowing the user to read the label's details even without project permissions.
Remediation
Users can update to Vikunja version 2.3.0, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.