Speckle Server up to 2.17.5 insufficient granularity of access control

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Speckle Server up to 2.17.5. The impacted element is an unknown function. The manipulation leads to insufficient granularity of access control. This vulnerability is listed as CVE-2023-50713. The attack may be initiated remotely. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Speckle Server up to 2.17.5. This issue affects an unknown functionality. The manipulation with an unknown input leads to a insufficient granularity of access control vulnerability. Using CWE to declare the problem leads to CWE-1220. The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. Impacted is confidentiality, and integrity. The summary by CVE is:

Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' scope or, using frontend-2, created a Personal Access Token (PAT) with `token write` scope. When creating a new token an agent needs to authorise the request with an existing token (the 'requesting token'). The requesting token is required to have token write scope in order to generate new tokens. However, Speckle server was not verifying that other privileges granted to the new token were not in excess of the privileges of the requesting token. A malicious actor could use a token with only token write scope to subsequently generate further tokens with additional privileges. These privileges would only grant privileges up to the existing privileges of the user. This vulnerability cannot be used to escalate a user's privileges or grant privileges on behalf of other users. This has been patched as of version 2.17.6. All operators of Speckle servers should upgrade their server to version 2.17.6 or higher. Any users who authorized an application with 'token write' scope, or created a token in frontend-2 with `token write` scope should review existing tokens and permanently revoke any they do not recognize, revoke existing tokens and create new tokens, and review usage of their account for suspicious activity. No known workarounds for this issue exist.

The weakness was presented 12/15/2023 as GHSA-xpf3-5q5x-3qwh. It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2023-50713 since 12/11/2023. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 2.17.6 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 3689e1cd58ec4f06abee836af34889d6ce474571 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Speckle

Name

• Server

Version

• 2.17.0
• 2.17.1
• 2.17.2
• 2.17.3
• 2.17.4
• 2.17.5

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion