Compliance Impact

This vulnerability allows unauthenticated users to bypass authentication and download entire shared directory trees if they have a folder share-link token. Such unauthorized access to potentially sensitive or personal data could lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal and sensitive information.

By failing to enforce authentication on the affected endpoint, Seahub before version 13.0.23 does not adequately protect shared data, increasing the risk of data breaches and non-compliance with standards that mandate confidentiality, integrity, and access control.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects Seahub versions before 13.0.23, where the system does not enforce the SHARE_LINK_LOGIN_REQUIRED setting on the GET /api/v2.1/share-link-zip-task/ endpoint.

Because of this, unauthenticated users can bypass authentication if they have a valid folder share-link token. They can call this GET endpoint to obtain a fileserver zip token, which allows them to download entire shared directory trees without proper authorization.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers with a folder share-link token to bypass authentication and download entire shared directory trees.

This can lead to unauthorized access and exfiltration of potentially sensitive or confidential files shared via Seahub.

Such unauthorized data access can compromise data confidentiality and integrity within an organization.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring access attempts to the GET /api/v2.1/share-link-zip-task/ endpoint without proper authentication. Specifically, look for requests that include a folder share-link token but do not require user login, which indicates the authentication bypass.

You can use network traffic inspection tools like curl or wget to test if the endpoint allows unauthenticated access. For example, a command to test the endpoint might be:

• curl -i -X GET "https://your-seahub-domain/api/v2.1/share-link-zip-task/" -H "Authorization: Token <folder-share-link-token>"

If the response returns a fileserver zip token or allows downloading shared directory trees without requiring user authentication, the system is vulnerable.

Additionally, checking server logs for unauthorized 200 OK responses to this endpoint without user authentication can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Seahub to version 13.0.23 or later, where the vulnerability has been fixed by enforcing the SHARE_LINK_LOGIN_REQUIRED setting on the GET /api/v2.1/share-link-zip-task/ endpoint.

If upgrading immediately is not possible, you should restrict access to the vulnerable endpoint by implementing network-level controls such as firewall rules or reverse proxy restrictions to block unauthenticated requests to /api/v2.1/share-link-zip-task/.

Additionally, review and enforce authentication requirements on shared link endpoints to ensure that only authenticated users can access sensitive resources.

Useful 0 Not Useful 0