ShellHub Cross-Tenant Information Disclosure Vulnerability in Session API

A cross-tenant information disclosure vulnerability has been identified in ShellHub versions prior to 0.24.2. The issue arises in the `GET /api/sessions/:uid` endpoint, which returns the full session object for any authenticated user without scoping it to the user's tenant. This allows an authenticated user to access session records from other namespaces, including sensitive information such as SSH usernames, device UIDs, remote IPs, terminal types, authentication statuses, and timestamps.

Impact

Exploitation of this vulnerability leads to unauthorized access to SSH session data from other tenants, including usernames, device UIDs, remote IPs, authentication statuses, and session timestamps. This could facilitate reconnaissance of active users and systems in other tenants, potentially allowing for deeper exploitation, especially if combined with session recording features.

Reproduction

To reproduce this vulnerability, an authenticated user must obtain a session UID from a victim tenant. This UID can be acquired through various means, such as logs, shared session recordings, or UI URLs. Once the UID is obtained, the user can make a request to the `GET /api/sessions/:uid` endpoint, including their authentication token. The response will include the full session data from the victim tenant, demonstrating the cross-tenant information disclosure.

Remediation

Users are advised to update to ShellHub version 0.24.2 or later, where this vulnerability has been fixed.