Pelican Privilege Escalation Vulnerability in Web User Interface

A privilege escalation vulnerability has been identified in Pelican's Web User Interface (WebUI) versions 7.21.0 prior to 7.21.5, 7.22.0 prior to 7.22.3, 7.23.0 prior to 7.23.3, and 7.24.0 prior to 7.24.2. This vulnerability allows users authenticated via OAuth to gain admin privileges under certain configurations. The issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.

Impact

Exploitation of this vulnerability allows authenticated users to escalate privileges to admin level, enabling them to modify server configurations, create persistent API tokens for ongoing access, and change admin passwords. In the context of Pelican services, this could lead to significant disruptions, such as poisoning federation-wide namespaces or exposing protected data through compromised origins.

Remediation

Users should upgrade to Pelican versions 7.21.5, 7.22.3, 7.23.3, or 7.24.2. If an immediate upgrade is not possible, administrators can disable the vulnerable 'Server.UIAdminUsers' and 'Server.AdminGroups' configurations. For those who have previously used these settings, it's recommended to audit the database for potential exploitation before upgrading.