pyLoad, Authorization Bypass, CVE-2023-0227 (Medium)

Listen to this Post

How the CVE Works:

This vulnerability stems from pyLoad caching a user’s role and permissions in the session at login. The WebUI authentication flow (in src/pyload/webui/app/helpers.py) writes `”role”: user_info[“role”]` and `”perms”: user_info[“permission”]` into the session. Later, authorization checks (in parse_permissions(), is_authenticated(), and login_required()) read these cached values from the session instead of querying the database for fresh role/permission data. When an admin changes a user’s role or permissions in the database, the active session is not invalidated or refreshed. As a result, the user continues to be authorized based on their old, stale privileges until the session expires (the default `session_lifetime` is 44640 minutes, or ~31 days). This allows a downgraded or restricted user to retain their previous, higher privileges, leading to unauthorized access to WebUI/API actions.

dailycve form:

Platform: pyLoad
Version: prior 0.5.0b3.dev36
Vulnerability: Session privilege cache
Severity: Medium
date: 2023-01-12

Prediction: Patch 2023-01-12

What Undercode Say:

This vulnerability highlights a fundamental flaw in session management and authorization consistency. The use of cached session data for access control, without a mechanism to refresh that data upon privilege changes, creates a significant security gap. Administrators should be aware that revoking a user’s permissions does not take effect immediately for active sessions, potentially allowing malicious or inadvertent actions.

Analytics under What Undercode Say:

To detect potential exploitation, monitor for unusual API calls or WebUI actions by users whose roles have been recently changed. Log analysis can correlate session activity with role modification timestamps.

Bash commands and codes:

Check for active sessions with stale privileges
This requires access to the session storage (e.g., filesystem or database)
For filesystem sessions:
find /tmp/pyLoad/flask/ -type f -exec ls -la {} \;
Monitor API calls for users with changed roles
Example: grep for API access logs around the time of role change
grep "api/" /var/log/pyload.log | grep "user=USERNAME"
Python script to simulate the vulnerability
python3 poc.py

Where `poc.py` is the Proof of Concept script provided in the .

How Exploit:

An attacker with an active session can continue to perform privileged actions even after their permissions have been revoked. The exploit requires the attacker to have an existing session before the role/permission change. No further action is needed; the stale session automatically grants continued access.

Protection from this CVE:

Upgrade to pyLoad version 0.5.0b3.dev36 or later.

Implement session invalidation upon role/permission changes (e.g., by clearing the session or updating its cached data).
Reduce `session_lifetime` to a shorter duration to limit the exposure window.
Regularly audit user sessions and enforce re-authentication after critical changes.

Impact:

Privilege escalation: A downgraded user retains old, higher privileges.
Unauthorized access: Continued access to admin or restricted WebUI/API functions.
Long exposure: Default session lifetime of ~31 days increases risk.
No immediate revocation: Role/permission changes do not affect active sessions until logout or expiry.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top