| タイトル | mosaxiv clawlet 0.2.10 Missing Authorization (CWE-862) |
|---|
| 説明 | # Technical Details
A Cross-Session Authorization Bypass exists in the `cron` chat tool in `tools/tool_cron.go` of clawlet.
The application stores per-session ownership metadata (`Channel` and `To` fields) when a user creates a scheduled cron job, but fails to enforce that ownership on subsequent `list` and `remove` operations. The `list` action returns all enabled jobs from the shared store, and `remove` deletes by raw job ID without verifying caller/session ownership.
# Vulnerable Code
File: tools/tool_cron.go
Method: cron tool list and remove handlers
Why: The `list` case calls `r.Cron.List(false)` returning every enabled job regardless of session. The `remove` case forwards any `job_id` directly to `r.Cron.Remove(...)`. The lower-layer `cron.Service.Remove(id)` deletes by raw ID with no caller context, making the tool-layer authorization omission directly exploitable across chat sessions.
# Reproduction
1. Victim session creates a cron job through the normal chat tool path (stored with victim's channel/chat_id metadata).
2. Attacker session invokes `cron list` — receives the victim job name and ID because no caller scoping is applied.
3. Attacker invokes `cron remove` with the leaked `job_id`.
4. Independent file-system observation confirms the victim job is deleted from the shared cron store.
# Impact
- Enumerate scheduled jobs created by another chat session
- Learn victim job names, identifiers, and schedule types
- Delete victim jobs from the shared cron store
- Disrupt reminders, workflow triggers, and scheduled agent actions for other users
- Unauthorized cross-tenant interference and denial of scheduled automation |
|---|
| ソース | ⚠️ https://github.com/mosaxiv/clawlet/issues/17 |
|---|
| ユーザー | Erichen (UID 98955) |
|---|
| 送信 | 2026年06月12日 10:39 (1 月 ago) |
|---|
| モデレーション | 2026年07月17日 07:47 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 379759 [mosaxiv clawlet 迄 0.2.10 cron Chat Tool tools/tool_cron.go list/remove 特権昇格] |
|---|
| ポイント | 20 |
|---|