ShellHub Cross-Tenant Information Disclosure Vulnerability in Device Metadata API

A cross-tenant information disclosure vulnerability has been identified in ShellHub, a centralized SSH gateway, in versions prior to 0.24.2. The issue arises in the `GET /api/devices/:uid` endpoint, which returns the full device object to any authenticated user, regardless of whether the device belongs to the user's namespace. This vulnerability allows an authenticated user with knowledge of a device UID to access device metadata from other namespaces.

Impact

Exploitation of this vulnerability leads to unauthorized access to device metadata from other namespaces, including the device's hostname, MAC address, operating system information, public SSH key, namespace name, last-seen timestamp, and remote address. This cross-tenant data exposure could facilitate enumeration of namespaces, inventory of devices in other tenants, and targeted follow-up attacks.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the `GET /api/devices/:uid` endpoint with a valid device UID that belongs to a different namespace. The request must include an authorization token. The response will include the full device metadata, demonstrating the cross-tenant information disclosure.

Remediation

Users should update to ShellHub version 0.24.2 or later, where this vulnerability has been fixed.