| tiêu đề | OWASP DefectDojo < 2.56.0 Authorization Bypass |
|---|
| Mô tả | DefectDojo does not properly validate that the supplied risk_acceptance ID (raid) belongs to the supplied engagement ID (eid).
Authorization decorator checks only the engagement (@user_is_authorized on eid), while functions view_edit_risk_acceptance, edit_risk_acceptance, expire_risk_acceptance, reinstate_risk_acceptance and delete_risk_acceptance simply do get_object_or_404(Risk_Acceptance, pk=raid) without any affiliation check.
Only the download_risk_acceptance endpoint contains the correct check:
if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): raise PermissionDenied
As a result, any authenticated user who has access to at least one engagement can read, edit, expire, reinstate or delete Risk Acceptance objects (and all accepted findings inside them) that belong to any other product/engagement. |
|---|
| Nguồn | ⚠️ https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md |
|---|
| Người dùng | noname1337 (UID 97313) |
|---|
| Đệ trình | 13/04/2026 20:19 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 30/04/2026 17:17 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360317 [OWAP DefectDojo đến 2.55.4 Benchmark/Engagement/Product/Survey nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|