-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/casdoor/casdoor | go | < 2.63.0 | 2.63.0 |
Miggo AIRoot Cause AnalysisThe vulnerability is an Improper Authorization issue within Casdoor, allowing an authenticated administrator of one organization to modify or delete resources (Applications, Syncers, Tokens, Webhooks) belonging to other organizations. The root cause is a failure to consistently enforce organization-based access control in the backend API.
The analysis of the patch commit d883db907bb6e0b95737ef8e8b57b7da9078cbdd reveals two primary failure patterns:
Unauthorized Ownership Transfer: The Update functions for various resources (e.g., object.UpdateApplication) allowed a user to change the organization attribute of a resource without verifying that the user was a global administrator. This allowed an organization administrator to effectively seize control of resources from other organizations.
Cross-Organization Deletion: The Delete functions (e.g., object.deleteApplication) constructed database deletion queries using only the resource's name and owner, but not its organization. An attacker could therefore delete resources from any organization if they could guess or obtain the resource's ID.
The patch rectifies these issues by:
isGlobalAdmin check in all Update functions to ensure only global admins can change a resource's organization..Where("organization = ?", ...) clause to all database Delete operations, scoping the query to the correct organization and preventing cross-tenant deletions.authz.IsAllowed authorization checks by ensuring the object's organization is correctly parsed from the request and used in access decisions.During an exploit, a stack trace would likely show calls originating from the API controllers (e.g., controllers.(*ApiController).UpdateApplication) and passing through to the vulnerable business logic functions in the object package (e.g., object.UpdateApplication).