Description
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.
Problem types
Product status
Any version before 2.14.0
Credits
Saidakbarxon Maxsudxonov
References
github.com/cockpit-hq/cockpit (Product)
github.com/...ommit/dde2d1d74f5f4e11de42a298918ea8c9684f932c (Patch Commit)
gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd
www.vulncheck.com/...uthorization-in-bucket-file-storage-api