Cronicle Privilege Escalation Vulnerability via Unchecked Job Output Updates

A privilege escalation vulnerability exists in Cronicle, a multi-server task scheduler, in versions prior to 0.9.111. Low-privilege users who can create and run events can exploit this vulnerability by including an 'update_event' key in the JSON output of their job scripts. The server processes this key without any authorization checks, allowing the user to modify various event properties, such as webhook URLs and notification emails. This unauthorized access could lead to interception of alerts and exfiltration of sensitive job data, including script contents and internal network information.

Impact

Exploitation allows low-privilege users to unauthorizedly modify event configurations, redirect webhook notifications to attacker-controlled servers, and intercept notification emails. This could result in exfiltrating sensitive job data, such as script contents, environment variables, and internal network information.

Reproduction

To reproduce this vulnerability, a low-privilege user can create a Shell Script event that includes an 'update_event' key in the output JSON. When the event is run, the server applies the changes to the event configuration without authorization. The modified webhook then exfiltrates job data to an attacker-controlled server.

Remediation

Users should update to Cronicle version 0.9.111 or later, where this vulnerability has been fixed.