जमा करें #844656: AstrBotDevs AstrBot 4.25.2 Improper Authorization (CWE-285)जानकारी

शीर्षकAstrBotDevs AstrBot 4.25.2 Improper Authorization (CWE-285)
विवरण# Technical Details An improper ownership check exists in the `FutureTaskTool.call()` workflow in `astrbot/core/tools/cron_tools.py` and the scheduler follow-up path in `astrbot/core/cron/manager.py` of AstrBot. The application fails to authorize future task management by task owner. Task creation stores both `session` and `sender_id`, but `list`, `edit`, and `delete` later check only whether the current unified message origin matches the stored session. In shared group sessions, any non-owner can manage another user's scheduled task. The `edit` path preserves the original `sender_id`, so attacker-modified content can later execute under a victim-derived cron role. # Vulnerable Code File: `astrbot/core/tools/cron_tools.py` Method: `FutureTaskTool.call()` Why: The `edit`, `delete`, and `list` branches authorize only by shared session/UMO and do not enforce ownership with `sender_id`. The `edit` branch copies the existing payload and updates only `payload["note"]`, preserving the victim creator identity for later scheduler use. # Reproduction 1. Create a future task as a victim user, preferably an admin, in a shared group session. 2. From a different non-owner user in the same UMO/session, run the provided PoC `verification_test_7822_cron_future_task_ownership.py`. 3. List and edit the victim task as the non-owner. 4. Observe that the modified task keeps the original victim `sender_id`. 5. Let the scheduler execute the task and confirm the attacker-controlled note runs with the victim-derived cron role. # Impact - Same-session attackers can list, edit, or delete another user's scheduled tasks. - If the victim is an admin, attacker-controlled task content can later execute in an admin-derived cron context.
स्रोत⚠️ https://gist.github.com/YLChen-007/2bab96d5bedef784f90c97009fff8a19
उपयोगकर्ता
 Eric-a (UID 96353)
सबमिशन01/06/2026 10:14 AM (1 महीना पहले)
संयम11/07/2026 02:42 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि377806 [AstrBotDevs AstrBot तक 4.25.2 Scheduled Task cron_tools.py FutureTaskTool.call payload["note"] अधिकार वृद्धि]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!