Security Advisory: Less privileged user able to execute custom Groovy scripts via Bulk Tasks
Date: 20. 9. 2023
Severity: High (CVSS 8.5)
Affected versions: all midPoint versions
Fixed in versions: 4.4.6, 4.8, 4.7.2
Non-admin users which are authorized to execute bulk actions (using
model-3#executeScript authorization) are able to execute arbitrary Groovy code, if they have authorization to submit custom bulk actions using rest (authorization
rest#all) or have access to Bulk Actions page (authorization
Severity and Impact
This is high-severity issue.
The affected feature is not enabled by default to end-users. MidPoint deployment is only affected if non-administrator users have authorization for:
Update to latest maintenance midPoint release which contains fix.
Remove authorizations for
ui-3#pageBulkActionfor those users, which have