Bug 2487069 (CVE-2026-53470)
| Summary: | CVE-2026-53470 migration-planner: GetSourceDownloadURL Missing Organization Check | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Repository: migration-planner Priority: High Location: internal/handlers/v1alpha1/source.go:236 Description: GET /api/v1/sources/{id}/image-url returns presigned S3 URLs for OVA appliances. Unlike sibling endpoints (GetSource/UpdateSource/DeleteSource), this handler skips the user.Organization == source.OrgID ownership check and proceeds directly to URL generation. Any bearer token plus victim's source UUID yields a download link. Security Impact: OVA embeds victim's long-lived agent JWT and source configuration Attacker gains credential to write to victim's source (when combined with f002) Discloses proxy/network configuration UUIDv4 entropy is insufficient when UUIDs appear in shared assessments, support tickets, browser history Fix Suggestion: Fetch the source first, compare user.Username/user.Organization against source.Username/source.OrgID, and return 404 on mismatch (not 403 to avoid existence oracle). Long-term: wrap SourceService in an Authz decorator. See patches/f003.patch.