How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated user, including those with basic roles, to perform create, read, update, and delete (CRUD) operations on all tenant users and groups. This includes the ability to list all users, modify user details such as email addresses (which can lead to account takeover), deactivate or delete users, and alter group memberships to grant unauthorized roles.

Such unauthorized access and manipulation of user data can lead to significant breaches of confidentiality, integrity, and availability of sensitive information. This poses a high risk of non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your Budibase instance is running a version prior to 3.38.2 and if the SCIM endpoints are accessible to authenticated users without proper role-based authorization.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor network traffic or logs for calls to SCIM endpoints that perform CRUD operations on users or groups by users with BASIC or non-admin roles.

Suggested commands to help detect this vulnerability include:

• Check the Budibase version: `budibase --version` or check your deployment manifest to confirm if the version is older than 3.38.2.
• Use curl or similar tools to test SCIM endpoints with a non-admin authenticated user to see if CRUD operations are allowed, for example:
• `curl -i -H "Authorization: Bearer <non-admin-token>" https://<budibase-host>/api/scim/v2/Users`
• Monitor logs for SCIM API calls by non-admin users that create, modify, or delete users or groups.
• Use network monitoring tools to detect unusual SCIM API activity from users without admin roles.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.38.2. The issue is that the SCIM router in the worker component only has two middlewares: one that checks the Enterprise feature flag and SCIM configuration, and another that sets the SCIM request context. However, it lacks any role-based access control.

As a result, any authenticated user, regardless of their role (including BASIC role or workspace-scoped builder), can access SCIM endpoints and perform create, read, update, and delete (CRUD) operations on every user and group within the tenant.

This means unauthorized users can manipulate user and group data without proper permission checks. The vulnerability was fixed in version 3.38.2.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows any authenticated user to fully manage all users and groups within the tenant.

• Unauthorized modification or deletion of user accounts and groups.
• Potential privilege escalation by altering user roles or permissions.
• Disruption of normal operations due to unauthorized changes in user and group configurations.
• Exposure of sensitive user information through unauthorized access.

Overall, this vulnerability can lead to a complete compromise of user management within the affected Budibase tenant.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Budibase to version 3.38.2 or later where the issue is fixed.

This update adds proper role checks to the SCIM router, preventing unauthorized authenticated users from performing CRUD operations on users and groups.

Useful 0 Not Useful 0