| 제목 | Open-Source LitmusChaos 3.19.0 Unauthorized Project Deletion via Missing Authorization Checks |
|---|
| 설명 | A critical vulnerability was identified in the LitmusChaos platform that allows any authenticated user to delete projects belonging to other users by manipulating the projectID parameter in a DELETE request. This occurs due to the absence of proper authorization checks on the backend.
Details
During testing, it was observed that when a user sends a request to delete a project, the backend accepts any valid projectID and proceeds with deletion without verifying if the user is authorized to perform the action. Specifically, the backend does not validate whether the requesting user is the owner or has sufficient privileges over the target project.
This flaw enables malicious users to craft requests with arbitrary projectID values, leading to the deletion of projects they do not own or manage.
Impact
Permanent deletion of other users' projects
Loss of critical data and disruption of service
Exploitable by any authenticated user |
|---|
| 원천 | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme06.md |
|---|
| 사용자 | maique (UID 88562) |
|---|
| 제출 | 2025. 07. 31. AM 04:30 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 07:34 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319324 [LitmusChaos Litmus 까지 3.19.0 Delete Request /auth/delete_project/ projectID 권한 상승] |
|---|
| 포인트들 | 20 |
|---|