The logic that processes adding users to groups is affected by a flaw that allows a Manager to add existing users to groups with Operator privileges. Whenever a Manager edits an existing user, the user is added to all the groups with Operator privileges defined in the current EyeDP environment.
The root cause of the issue is in app/controllers/admin/users_controller.rb, method model_params, line 178 and following:
if p[:group_ids] && current_user.manager? && !current_user.admin?
# A Manager cannot add a user to an operator or admin group
p[:group_ids] -= Group.where(admin: true).or(Group.where(operator: true)).pluck(:id)
# A manager cannot remove admin from an admin user nor operator from an operator user
p[:group_ids] += @model.groups.where(admin: true).or(Group.where(operator: true)).pluck(:id) unless @model.nil?
p[:group_ids].uniq!
end
When the existing privileged groups are re-added to p[:group_ids], the code adds Group.where(operator: true) rather than @model.groups.where(operator: true), resulting in all the groups with operator privileges being added back to p[:group_ids] rather than only the ones previously assigned to the target user.
Impact
The Manager user can add themselves or any other user to all the groups with Operator privileges, simply by editing the user information, thus escalating their privileges. Note that, if there exist a group with both Operator and Administrator privileges, the Manager user can escalate privileges to the ones of Administrator.
Patches
This issue is resolved in ca187c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
The logic that processes adding users to groups is affected by a flaw that allows a Manager to add existing users to groups with Operator privileges. Whenever a Manager edits an existing user, the user is added to all the groups with Operator privileges defined in the current EyeDP environment.
The root cause of the issue is in app/controllers/admin/users_controller.rb, method model_params, line 178 and following:
When the existing privileged groups are re-added to
p[:group_ids], the code addsGroup.where(operator: true)rather than@model.groups.where(operator: true), resulting in all the groups with operator privileges being added back top[:group_ids]rather than only the ones previously assigned to the target user.Impact
The Manager user can add themselves or any other user to all the groups with Operator privileges, simply by editing the user information, thus escalating their privileges. Note that, if there exist a group with both Operator and Administrator privileges, the Manager user can escalate privileges to the ones of Administrator.
Patches
This issue is resolved in ca187c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory: