| Title | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Access Control / Information Disclosure (exposed machin |
|---|
| Description | Orion-ops uses the MachineKeyController to manage SSH key material that is later injected into deployment workflows. The controller exposes listing and detail endpoints without narrowing the caller’s role. In the download path, FileDownloadServiceImpl trusts the provided id and never checks that the requesting user actually owns, uploaded, or has any relationship with that key. The download tokens are therefore unscoped and reusable by any session. This behavior is inconsistent with the intent of storing sensitive SSH credentials on the server side and results in total disclosure of the stored secrets. |
|---|
| Source | ⚠️ https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md |
|---|
| User | sh7err03 (UID 92418) |
|---|
| Submission | 11/10/2025 12:12 (5 months ago) |
|---|
| Moderation | 11/30/2025 15:25 (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 333817 [orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1 API MachineKeyController.java MachineKeyController improper authorization] |
|---|
| Points | 20 |
|---|