CVE-2018-20345 in StackStorm
Summary
by MITRE
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2020
This vulnerability represents a critical access control flaw in the StackStorm automation platform that undermines the fundamental security boundaries between users within the system. The issue affects StackStorm versions prior to 2.9.2 and 2.10.1, where authenticated users can exploit specific API endpoints to access sensitive datastore items belonging to other users. The vulnerability stems from improper validation of user permissions when processing query parameters in the st2api service, specifically when utilizing the scope and user filter parameters that allow unauthorized data enumeration across user boundaries.
The technical implementation of this flaw occurs through the manipulation of API query parameters in the /v1/keys endpoint, where attackers can append "?scope=all" and "?user=<username>" to bypass normal access controls. This allows authenticated users to retrieve datastore items that should be restricted to specific user scopes, effectively creating a privilege escalation vector that enables data leakage between users. The vulnerability is classified under CWE-284 which specifically addresses improper access control mechanisms, and aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential access through API exploitation. The flaw demonstrates a classic case of insufficient authorization checks where the system fails to properly validate that the requesting user has legitimate access rights to the specified user's datastore items.
The operational impact of this vulnerability extends beyond simple data leakage, as it can expose sensitive configuration parameters, authentication credentials, and other confidential information stored in the StackStorm datastore. Attackers with valid accounts can systematically enumerate and access data belonging to other users, potentially leading to privilege escalation, credential theft, or exposure of internal system configurations. This is particularly concerning in enterprise environments where StackStorm is used for automation and orchestration tasks, as it could enable attackers to gain insights into operational procedures, system dependencies, and potentially access additional systems through compromised credentials stored in the datastore. The vulnerability affects all StackStorm editions except those with RBAC enabled, highlighting the importance of proper role-based access controls in preventing such cross-user data access patterns.
Organizations should immediately implement mitigations including upgrading to StackStorm versions 2.9.2 or 2.10.1 and later, which contain the necessary access control fixes. Additionally, administrators should review and harden their StackStorm configurations to ensure proper RBAC implementation, monitor API access logs for suspicious query patterns, and consider implementing additional network-level controls to restrict access to sensitive API endpoints. The vulnerability underscores the critical importance of validating all user inputs and implementing robust access control mechanisms, particularly in systems that handle sensitive operational data. Security teams should also conduct thorough audits of their StackStorm implementations to identify any potential exposure and ensure that proper user isolation and data protection measures are in place to prevent similar access control bypass scenarios.