CVE-2020-8817 - Mass Assignment in

CVE-2020-8817 - Mass Assignment in "Created by" attributes of Dataiku DSS Project Wiki Articles

2020, Mar 10    
  • CVE Id: CVE-2020-8817
  • CVSS Base Score: 4.3
  • Severity: Medium
  • CWE classification: CWE-284

Dataiku DSS - CVE-2020-8817 Advisory

Affected asset(s)

  • https://dataiku-dss-api/dip/api/projects/wikis/save-article

Description

A user with access to a project that can Edit a Wiki Article can taint the input going to the API endpoint and replace the Created By attributes of the Wiki Article to be any other arbitrary values such as user, timestamp, etc.

Steps to reproduce

  • A victim creates a new article

Figure 1 – Newly created article with valid Creation values

  • Attacker accesses an article that he can edit:

  • He intercepts the requests made to the API after Saving

  • He replaces the values inside the json array corresponding to the Creation Tag (i.e. user, and timestamp):

Figure 2 - Request with highlighted “Created By” User and Timestamp values that will be replaced

  • Anyone who accesses the article View section will see the injected false values

Figure 3 - A third user (or any other user) accesses the article and sees the fake values injected by the attacker

Impact

Compromise of integrity of Wiki Article functionality – an attacker can induce others to think it was an arbitrary user or even an unexisting user that created an article when it wasn’t

Prerequisites

  • Edit access to the article

Mitigation

Remove the possibility Creation Tag from being generated client-side and sent to the server via API without validation

Reference

Twitter Facebook Google+
# cve # application security