Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value.
Problem types
Exposure of Sensitive Information to an Unauthorized Actor
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-2xjq-h43m-592f
github.com/.../capgo/security/advisories/GHSA-2xjq-h43m-592f (GitHub Security Advisory (GHSA-2xjq-h43m-592f))
www.vulncheck.com/...osure-via-security-definer-rpc-function (VulnCheck Advisory: Capgo - Unauthenticated API Key Metadata Disclosure via SECURITY DEFINER RPC Function)