| शीर्षक | OWASP DefectDojo < 2.56.0 Authorization Bypass |
|---|
| विवरण | DefectDojo does not properly validate that the supplied risk_acceptance ID (raid) belongs to the supplied engagement ID (eid).
Authorization decorator checks only the engagement (@user_is_authorized on eid), while functions view_edit_risk_acceptance, edit_risk_acceptance, expire_risk_acceptance, reinstate_risk_acceptance and delete_risk_acceptance simply do get_object_or_404(Risk_Acceptance, pk=raid) without any affiliation check.
Only the download_risk_acceptance endpoint contains the correct check:
if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): raise PermissionDenied
As a result, any authenticated user who has access to at least one engagement can read, edit, expire, reinstate or delete Risk Acceptance objects (and all accepted findings inside them) that belong to any other product/engagement. |
|---|
| स्रोत | ⚠️ https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md |
|---|
| उपयोगकर्ता | noname1337 (UID 97313) |
|---|
| सबमिशन | 13/04/2026 08:19 PM (2 महीनों पहले) |
|---|
| संयम | 30/04/2026 05:17 PM (17 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360317 [OWAP DefectDojo तक 2.55.4 Benchmark/Engagement/Product/Survey अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|