Postiz AI Social Media Tool Pwn Request Vulnerability Allowing Arbitrary Code Execution and GITHUB_TOKEN Exfiltration

A critical 'Pwn Request' vulnerability has been identified in the Postiz AI social media scheduling tool, specifically within the 'Build and Publish PR Docker Image' workflow. This vulnerability, present in versions 0 and above prior to the patch in commit da44801, allows any unauthenticated user to execute arbitrary code during the Docker build process. The exploitation of this vulnerability also enables the exfiltration of a highly privileged GITHUB_TOKEN with 'write-all' permissions. The issue can be easily triggered by opening a Pull Request from a fork that includes a maliciously modified Dockerfile.dev.

Impact

Exploitation of this vulnerability allows an attacker to execute arbitrary code in the context of the Docker build process, with the potential to exfiltrate a GITHUB_TOKEN that has full read-write access to the Postiz repository. This access includes the ability to commit changes, create releases, and manage Pull Requests and Issues.

Reproduction

To reproduce this vulnerability, fork the Postiz repository and create a Pull Request that includes a maliciously modified Dockerfile.dev. The 'Build and Publish PR Docker Image' workflow will execute the code in the Dockerfile.dev during the build process, allowing for arbitrary code execution and exfiltration of the GITHUB_TOKEN.

Remediation

Users can update to Postiz version 0 or later, where this vulnerability has been patched.