Bug 2169751

Summary: PT: ROS: Insecure Direct Object Reference (IDOR) - Rating
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2169460    

Description juneau 2023-02-14 15:10:20 UTC 
Description
Authorization defines the concept of controlling access to resources. Only those users or user profiles  that  need  access  to  information  should  have  access  to  it.  Incorrect  authorization management can allow users to access restricted functionalities, to which only a certain group of users should have access, or access to other users private information. 
During this pentest, it has been detected that in the rating functionally, more concretely,  /api/ros/v1/rating, is possible to modify the rating of the system that doesn’t belong to that user.

Impact
This vulnerability allows users to modify the rating of systems from other organizations, and as reported in the previous pentest (RHIROS-400), also enumerate systems from other organizations. Rating is altered therefore this vulnerability impacts confidentiality and integrity.

Recommendations
To avoid the risk associated with this vulnerability, it is recommended to implement an adequate authorization mechanism within the overall service, especially in the private part, checking the access rights of the user associated with the session before accessing any resource or information.

References
https://cwe.mitre.org/data/definitions/285.html
https://portswigger.net/web-security/access-control/idor