Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Faulty permission handling in '/v/vm' functions #16

Open
maxkofler opened this issue Feb 9, 2024 · 0 comments
Open

Faulty permission handling in '/v/vm' functions #16

maxkofler opened this issue Feb 9, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@maxkofler
Copy link
Collaborator

The /v/vm endpoints do not check for correct permissions. The code does only check for permission, but not on the target group (group to create the VM in / group that owns the VM).

This allows a user to exploit his permissions. If he has velocity.vm.create on one group, he can create VMs in every group he likes.
@maxkofler maxkofler added the bug Something isn't working label Feb 9, 2024
@maxkofler maxkofler moved this to Backlog in Velocity Feb 13, 2024
@maxkofler maxkofler moved this from Backlog to Ready in Velocity Feb 13, 2024
maxkofler added a commit that referenced this issue Apr 17, 2024
@maxkofler
Fix issue #16 - Unauthorized access to VM functions
f6db5c5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Velocity
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxkofler