| Título | OWASP DefectDojo < 2.56.0 Authorization Bypass |
|---|
| Descripción | DefectDojo does not properly validate that the supplied risk_acceptance ID (raid) belongs to the supplied engagement ID (eid).
Authorization decorator checks only the engagement (@user_is_authorized on eid), while functions view_edit_risk_acceptance, edit_risk_acceptance, expire_risk_acceptance, reinstate_risk_acceptance and delete_risk_acceptance simply do get_object_or_404(Risk_Acceptance, pk=raid) without any affiliation check.
Only the download_risk_acceptance endpoint contains the correct check:
if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): raise PermissionDenied
As a result, any authenticated user who has access to at least one engagement can read, edit, expire, reinstate or delete Risk Acceptance objects (and all accepted findings inside them) that belong to any other product/engagement. |
|---|
| Fuente | ⚠️ https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md |
|---|
| Usuario | noname1337 (UID 97313) |
|---|
| Sumisión | 2026-04-13 20:19 (hace 2 meses) |
|---|
| Moderación | 2026-04-30 17:17 (17 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 360317 [OWAP DefectDojo hasta 2.55.4 Benchmark/Engagement/Product/Survey escalada de privilegios] |
|---|
| Puntos | 20 |
|---|