Oban Web Missing Authorization Vulnerability Allows Unauthorized Job Worker Substitution

A missing authorization vulnerability has been identified in the Oban Web component of the Oban Background job processing library, specifically in versions 2.12.0 prior to 2.12.5. The issue arises in the 'Elixir.Oban.Web.Jobs.DetailComponent' module, where the 'handle_event("save-job", ...)' function lacks proper authorization checks. This omission allows authenticated users with read-only access to send forged WebSocket events that overwrite a job's worker field with any existing Oban.Worker module. As a result, during the next execution of the job, Oban will execute the 'perform/1' function on the substituted worker module instead of the original one.

Impact

Exploitation of this vulnerability could lead to unauthorized substitution of job worker modules, potentially allowing execution of arbitrary code, depending on the substituted worker's implementation.

Reproduction

To reproduce this vulnerability, an authenticated session with at least read-only access to the Oban Web dashboard is required. Once logged in, open the detail panel of any job to obtain its job ID. Then, send a forged 'save-job' event over the LiveView WebSocket, specifying the 'worker' parameter with the name of the desired target module. The server will accept the event, update the job's worker field, and on the next execution attempt, Oban will invoke the 'perform/1' method on the chosen module, instead of the original one.

Remediation

Users can update to Oban Web version 2.12.5 or later, where this vulnerability has been patched.