Chartbrew Incorrect Access Control Vulnerability in Dataset and DataRequest Endpoints Allowing Cross-Project Data Disclosure

A vulnerability in Chartbrew version 4.9.0 allows low-privileged project members to access, modify, and delete datasets and data requests across different projects within the same team. This issue arises because the application improperly authorizes access at the team level, without verifying that the requested resources belong to the caller's allowed projects. As a result, an authenticated attacker can exploit this flaw remotely, using standard project-level credentials, leading to unauthorized access to sensitive data and misuse of database or API connections on behalf of the victim.

Impact

Exploitation of this vulnerability allows for cross-project data access within the same team, enabling an attacker to read, modify, and delete datasets and data requests that belong to other projects. This could result in unauthorized access to sensitive third-party API data, internal service data, or database query results. Additionally, the vulnerability allows for the creation and modification of data requests on behalf of victims, potentially tampering with how their datasets retrieve data.

Reproduction

To reproduce this vulnerability, an authenticated user with a project-level role that can access datasets must send requests to the dataset or dataRequest endpoints for resources that belong to other projects within the same team. This can be done by enumerating or knowing the victim dataset or data request IDs.

Remediation

Users are advised to update to Chartbrew version 5.0.0, where this vulnerability has been patched.