Chartbrew Incorrect Access Control Vulnerability in Share Policy Routes Allowing Cross-Project Modifications

A vulnerability in Chartbrew version 4.9.0 allows authenticated users to cross-project modification of dashboard sharing rules. The issue arises because the application does not properly verify that a SharePolicy record's policy_id belongs to the project being accessed. As a result, users can update or delete sharing policies for projects they do not have access to, potentially altering visibility, password requirements, allowed parameters, and expiration settings. This vulnerability has been patched in version 5.0.0.

Impact

Exploitation of this vulnerability allows for unauthorized changes to another project's dashboard sharing policies, which can weaken or remove access restrictions. This could lead to broader external access for shared dashboards, disrupt intended access controls, and cause denial-of-service for legitimate sharing workflows.

Reproduction

To reproduce this vulnerability, an authenticated user with access to a project where they have permission to update share policies can send a request to the project's share policy route. The request must include a policy_id that belongs to a different project. The absence of proper validation will allow the user to update or delete the policy, demonstrating the cross-project access control flaw.

Remediation

Users can update to Chartbrew version 5.0.0, where this vulnerability has been patched.