CISA Manage.get.gov Cross-Portfolio Privilege Escalation Vulnerability

A vulnerability in CISA's manage.get.gov .gov TLD registrar allows organization administrators to improperly assign domain manager privileges across different portfolios. This issue arises from a lack of validation in the domain assignment process, enabling cross-organization privilege escalation. The vulnerability affects all versions of manage.get.gov prior to 1.176.0.

Impact

Exploitation of this vulnerability allows cross-portfolio privilege escalation, where an administrator can assign management rights for domains in other organizations, potentially leading to unauthorized domain control and violations of organizational boundaries.

Reproduction

The vulnerability can be reproduced by creating two separate portfolios, each representing a different organization. After assigning a user to one portfolio, a domain can be created in the other portfolio. The domain ID can then be added to the 'added_domains' parameter, bypassing portfolio restrictions and granting unauthorized management privileges.

Remediation

Users can update to version 1.176.0 or later, where this vulnerability has been fixed.