Velociraptor Incorrect Authorization Vulnerability in Query Plugin Allows Cross-Org Access

A vulnerability exists in the Velociraptor query() plugin in versions prior to 0.76.3. This vulnerability allows an authenticated GUI user to access all organizations using the current ACL token. Users with access to one organization can execute VQL queries on other organizations through the query() plugin in a notebook cell, potentially accessing data they are not authorized to. The permissions in the accessed organization mirror those in the user's original organization.

Impact

Exploitation of this vulnerability could lead to unauthorized access to data across different organizations, allowing users to bypass organizational access controls and query sensitive information they should not have access to.

Remediation

Users can upgrade to Velociraptor version 0.76.3 or 0.75.8, depending on their current version. Alternatively, the query() plugin can be disabled by adding it to the denied_plugins list in the server.config.yaml file.