Security Advisory: Hidden panels on detail page are accessible by URL
Date: 27. 02. 2024
Severity: 6.4 (Medium)
Affected versions: All midPoint versions from 4.7 prior to 4.7.4, 4.8.2
Fixed in versions: 4.7.4, 4.8.2
Description
Panels that contain a configuration for visibility as 'hidden' are not displayed in the menu, but they can be displayed by changing the identifier in the 'panelId' URL parameter.
Severity and Impact
This is Medium Severity Issue.
MidPoint contains a configuration for the visibility of the panel as 'hidden' (for example, a panel for organization assignments with the identifier 'orgAssignments').
Users with GUI authorization for the details page (for example, http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile) and model authorizations for the objects displayed in the hidden panel (for example, read/write for the OrgType) can do the following:
The user opens a details page with panels (for example, a profile page) and changes the 'panelId' parameter in the URL to the hidden panel identifier (for example, 'orgAssignments'). The content of the hidden panel is displayed.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.
In the meantime, users are advised to limit model authorizations to only necessary objects and object items.