Data Space Portal Insufficient Authorization Vulnerability in Self-Registered Pending Accounts

A vulnerability exists in Data Space Portal versions 2.1.1 prior to 7.3.2, allowing self-registered 'PENDING' organization/user accounts to access certain backend API endpoints without proper authorization. This issue arises because the API does not verify the account status of pending users, who can log in and use their session to call relevant endpoints. As a result, pending users can view the dataspace catalog and register connectors, enabling them to participate in the dataspace without approval.

Impact

This vulnerability allows pending users to access unauthorized API endpoints, potentially leading to unauthorized participation in the dataspace and consumption or creation of malicious data offers. Additionally, it could disrupt the availability of the dataspace portal by flooding it with unapproved connectors and data offers.

Reproduction

To reproduce this vulnerability, register a new account and log in. After logging in, use the session cookie to issue requests to the catalog and connector registration endpoints. Despite the account being in 'PENDING' status, it will be possible to access catalog data and register a connector, which will be recognized in Keycloak/DAPS and allow participation in the dataspace.

Remediation

Users can block self-registration by adding a rule to their Caddyfile to respond with a 'Forbidden' status. The long-term solution involves implementing backend checks to ensure that only active users can log in and access API endpoints.