Compliance Impact

This vulnerability allows authenticated users to bypass authorization controls and access or modify projects across different organizations without proper permission. Such unauthorized access and modification can lead to information disclosure and data integrity issues.

Because the vulnerability enables exposure and alteration of potentially sensitive organizational data, it may negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and organizational data.

Specifically, the lack of authorization checks could result in unauthorized disclosure of confidential information and unauthorized changes to data, both of which are violations of common regulatory requirements for data confidentiality, integrity, and security.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in TransformerOptimus SuperAGI versions up to 0.0.14, specifically in the functions get_project, update_project, and get_projects_organisation within the file superagi/controllers/project.py.

The flaw allows an attacker to bypass authorization controls, meaning they can perform actions or access data without proper permissions.

The attack can be executed remotely, and the exploit code has been publicly released, increasing the risk of exploitation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access or modification of project-related data within the affected application.

Because the authorization bypass can be exploited remotely, attackers may gain access without needing valid credentials or proper permissions.

Such unauthorized access could result in data breaches, manipulation of project information, or disruption of normal operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the affected API endpoints for improper authorization checks. Specifically, you can attempt to access or modify projects belonging to organizations that the authenticated user should not have access to.

• Use an authenticated JWT token to send a GET request to the endpoint `/projects/get/organisation/{organisation_id}` with an organisation_id that the user does not belong to and check if the project list is returned.
• Send a GET request to `/projects/get/{project_id}` for a project outside the user's organization and verify if project details are accessible.
• Send a PUT request to `/projects/update/{project_id}` with modified project data for a project outside the user's organization and check if the update is accepted.

Example curl commands (replace placeholders accordingly):

• curl -H "Authorization: Bearer <JWT_TOKEN>" https://<target>/projects/get/organisation/<other_org_id>
• curl -H "Authorization: Bearer <JWT_TOKEN>" https://<target>/projects/get/<project_id>
• curl -X PUT -H "Authorization: Bearer <JWT_TOKEN>" -H "Content-Type: application/json" -d '{"name":"test","description":"test"}' https://<target>/projects/update/<project_id>

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoints and ensuring proper authorization checks are implemented.

• Restrict access to the project management API endpoints to only trusted users or internal networks until a patch is applied.
• Implement or enforce authorization checks that verify the authenticated user belongs to the organization owning the project before allowing access or modification.
• Monitor logs for suspicious access patterns such as users accessing projects or organizations they should not have access to.
• Apply any available patches or updates from the vendor once they become available.

Useful 0 Not Useful 0