Executive Summary

This vulnerability in Lychee photo-management tool occurs in the album password unlock functionality. When a user unlocks a password-protected public album, the system automatically unlocks all other public albums that share the same password without proper authorization checks. This means a user can gain unauthorized access to other users' password-protected albums if they share the same password. The issue arises because the unlock propagation lacks verification of album ownership or user authorization beyond password matching. [2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized access to other users' password-protected albums, resulting in a confidentiality breach. Attackers can view photos, metadata, and album contents of other users without permission. However, it does not allow modification or deletion of data (no integrity impact) and does not affect availability. The severity is considered low. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the album password unlock functionality via the API endpoint POST /api/v2/Album::unlock. Specifically, you can attempt to unlock one password-protected public album and then check if other albums sharing the same password are also unlocked without additional authorization. Commands to test this could involve using curl or similar tools to send POST requests to the API endpoint with the album password and then verifying access to other albums with the same password. For example: 1. Use curl to unlock an album: curl -X POST -d '{"password":"<password>"}' https://<lychee-instance>/api/v2/Album::unlock 2. Attempt to access other albums that share the same password to see if they are unlocked as well. This behavior indicates the vulnerability. Note that the vulnerability is due to missing authorization checks in the propagation logic that unlocks all albums sharing the same password. Monitoring API calls to /api/v2/Album::unlock and checking for multiple albums being unlocked after a single unlock request can also help detect exploitation attempts. [2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Lychee to version 7.1.0 or later where the issue is fixed. The fix disables the automatic propagation of album unlocks by default via a new configuration option 'enable_propagate_unlock_option' set to false. If upgrading is not immediately possible, disable the password propagation feature if configurable, to prevent unlocking multiple albums sharing the same password. Administrators should review and adjust the 'enable_propagate_unlock_option' setting to false to prevent unintended mass unlocking of albums. Additionally, avoid sharing passwords across multiple albums to reduce risk. Monitoring and restricting API access to the album unlock endpoint can also help reduce exploitation risk. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to other users' password-protected albums, resulting in a confidentiality breach. This unauthorized disclosure of personal or sensitive data could negatively impact compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on unauthorized access to personal information. Although the severity is rated low, the exposure of private photos and metadata without proper authorization may violate privacy and data protection requirements under these standards. [2]

Useful 0 Not Useful 0