Vikunja Missing Authorization Vulnerability in CalDAV Task Read Operations

A vulnerability exists in Vikunja, an open-source task management platform, in versions prior to 2.3.0. The issue arises in the CalDAV 'GetResource' and 'GetResourcesByList' methods, which retrieve tasks by their unique identifiers (UIDs) without verifying if the authenticated user has access to the corresponding project. This flaw allows any authenticated CalDAV user who knows or guesses a task UID to access full task details from any project on the instance. The vulnerability is particularly concerning in multi-tenant deployments, where it could lead to unauthorized data access across organizational boundaries.

Impact

Exploitation of this vulnerability allows authenticated CalDAV users to read task details from any project, regardless of their access rights. This includes sensitive information such as task titles, descriptions, due dates, priorities, labels, and reminders. In multi-tenant deployments, this could result in unauthorized data exposure across different organizations.

Reproduction

To reproduce this vulnerability, an authenticated CalDAV user can send a request to the 'GetResource' or 'GetResourcesByList' methods with a task UID. The request can be made through the CalDAV interface, bypassing authorization checks. This can be done using a CalDAV client or by manually crafting a request that includes the UID of a task from a project the user does not have access to.

Remediation

Users can update to Vikunja version 2.3.0, which addresses this vulnerability by implementing the necessary authorization checks in the affected CalDAV methods.