Tencent WeKnora Config API Endpoint Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in Tencent WeKnora versions through 0.3.6. The issue resides in the Config API Endpoint, specifically within the 'getKnowledgeBaseForInitialization' function in 'internal/handler/initialization.go'. This vulnerability allows authenticated users to bypass authorization and access or modify Knowledge Base configurations of other tenants. The flaw can be exploited remotely, leading to unauthorized cross-tenant data access and manipulation.

Impact

Exploitation of this vulnerability allows for unauthorized reading and modification of Knowledge Base configurations across different tenants, potentially disrupting knowledge base operations and causing logical inconsistencies.

Reproduction

To reproduce this vulnerability, register two users: one as the victim and the other as the attacker. The attacker can then use the victim's Knowledge Base ID to read and modify its configuration through the vulnerable API endpoints, bypassing authorization checks.