GMS-2023-1876: Unsafe plugins can be installed via pack import by tenant admins

July 27, 2023 (updated September 6, 2023)

Summary

Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables

Details

I have an example https://bot20230704.saltcorn.com/view/all_plugins It’s publicly accessible (but has not so secure values except list of tenants). But using this mech one can read any data from other tenants.

Impact

All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants

References

Detect and mitigate GMS-2023-1876 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →