CVE-2020-35577 in Selection Portal
Summary
by MITRE • 02/18/2021
In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2021
The vulnerability identified as CVE-2020-35577 represents a critical Insecure Direct Object Reference flaw within the Endalia Selection Portal platform affecting versions prior to 4.205.0. This type of vulnerability falls under the CWE-284 category, which specifically addresses improper access control mechanisms that allow unauthorized users to access resources they should not be able to reach. The vulnerability manifests in the platform's file download functionality where authenticated users can manipulate the file identifier parameter to access any file uploaded to the system regardless of their authorization level or role within the platform.
The technical implementation of this flaw stems from inadequate input validation and access control checks within the download endpoint. When users attempt to download files through the CommonDownload identification number parameter, the system fails to properly verify whether the authenticated user has legitimate access rights to the requested resource. This oversight creates a direct reference to internal objects without proper authorization verification, allowing any authenticated user to iterate through file identifiers and retrieve files that belong to other users or system resources. The vulnerability essentially bypasses the platform's intended access control mechanisms by relying on predictable or manipulable identifiers rather than enforcing proper authentication and authorization checks.
The operational impact of this vulnerability is significant as it enables unauthorized data access and potential information disclosure across the entire platform. Any authenticated user can leverage this flaw to download files that may contain sensitive information, personal data, proprietary content, or confidential business documents belonging to other users or organizations using the platform. This creates a substantial risk for data breaches, privacy violations, and potential regulatory compliance issues. The vulnerability affects the confidentiality and integrity of the system's data protection mechanisms, as it allows for arbitrary file access that could expose intellectual property, user credentials, or other sensitive materials stored within the platform's file repository.
Security mitigations for this vulnerability should focus on implementing proper access control checks and input validation mechanisms. The platform must enforce authorization checks at the application level before allowing file downloads, ensuring that each request is validated against the user's permissions and the file's ownership. This includes implementing proper session management, role-based access controls, and validating that users can only access files they are authorized to view. Additionally, the system should employ randomized or non-predictable file identifiers that cannot be easily guessed or enumerated by unauthorized users. Organizations should also implement logging and monitoring of file access attempts to detect potential exploitation attempts. The remediation process should include updating to Endalia Selection Portal version 4.205.0 or later, which contains the necessary fixes to address this vulnerability. This vulnerability aligns with ATT&CK technique T1213.002 for credential access and T1078.004 for valid accounts, as it exploits authenticated access to gain unauthorized data access through manipulation of object references.