CVE-2019-18641 in RMS
Summary
by MITRE
Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/18/2024
The vulnerability identified as CVE-2019-18641 affects Rock RMS versions prior to 1.8.6 and represents a critical access control flaw within the People/GetVCard/REST controller. This issue stems from improper handling of vCard file access permissions, creating a potential pathway for unauthorized users to access sensitive personal information of individuals stored within the system. The vulnerability specifically targets the vCard export functionality that allows users to retrieve contact information in standard vCard format, which typically contains detailed personal data including names, email addresses, phone numbers, and other identifying information.
The technical flaw manifests as a lack of proper authentication and authorization checks when processing requests to the GetVCard endpoint. Attackers can exploit this weakness by crafting malicious requests to the REST controller without requiring valid credentials or proper user permissions. This misconfiguration allows any authenticated user or potentially even unauthenticated attackers to retrieve vCard files containing personal information of other users within the Rock RMS database. The vulnerability essentially bypasses the intended access controls that should restrict vCard access to authorized individuals only, creating a direct data exposure risk.
The operational impact of this vulnerability extends beyond simple data leakage, as it can enable various malicious activities including social engineering attacks, identity theft, and targeted phishing campaigns. The exposed vCard data typically contains comprehensive contact information that attackers can leverage for credential stuffing attacks against other services, or to build detailed profiles for impersonation attempts. Organizations using Rock RMS for church management, educational institutions, or healthcare facilities face particular risk since these systems often contain sensitive personal data of congregants, students, or patients. The vulnerability can be exploited through automated tools that scan for the specific REST endpoint, making it particularly dangerous for systems with public-facing interfaces.
This vulnerability aligns with CWE-284, which addresses improper access control, and falls under the ATT&CK technique T1087.001 for account discovery through enumeration of user accounts. The flaw represents a classic privilege escalation vulnerability that allows attackers to access data beyond their authorized scope. Organizations should immediately implement the available patch for Rock RMS version 1.8.6 or higher, which addresses the access control issue by enforcing proper authentication checks before allowing vCard exports. Additional mitigations include implementing network-level restrictions to limit access to the REST endpoints, monitoring for unusual access patterns to the People/GetVCard/REST controller, and conducting thorough access control reviews to ensure that similar vulnerabilities do not exist in other parts of the system. Regular security assessments and penetration testing should be performed to identify other potential access control flaws that could be exploited in similar ways.