Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
When SSO(i only check custom sso with on-premiss gitlab), I can login another user with sso user or password user.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
- 2 user with Sngle sign-on enabled(victim / my-real-user)
- In login interface, Username=(victim), and push
Enter button(not sso nor Login button)
- SSO interface(for me, on-premiss gitlab), login my-real-user
- login success with victim user
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
I write details.
Impact
What kind of vulnerability is it? Who is impacted?
any users with only sso(without totp) or only password(without totp)
detail my config
environment: docker-compose + ghcr.io/warp-tech/warpgate:latest(ea9291a75109, v0.7.2? web interface says v0.7.1)
docker log is:
warpgate_1 | 02:06:19 ERROR HTTP: Auth rejected
warpgate_1 | 02:06:19 WARN HTTP: Request failed method=POST url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/auth/login status=401 Unauthorized
warpgate_1 | 02:06:20 INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/sso/providers/custom/start status=200 OK
warpgate_1 | 02:06:20 INFO HTTP: SSO login as $my-real-username@mail-domain
warpgate_1 | 02:06:20 INFO HTTP: Authenticated username=victim
warpgate_1 | 02:06:20 INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/sso/return?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&state=XXXXXXXXXXXXXXXXXXXXXX status=307 Temporary Redirect
warpgate_1 | 02:06:20 INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate status=200 OK session=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX session_username=victim
warpgate_1 | 02:06:20 INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/info status=200 OK session=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX session_username=victim
victim:
- credentials
- Auth policy
- SSH: In-browser auth
- HTTP: SSO
- MySQL: none
- User roles
my-real-user:
- credentials:
- Auth policy
- SSH: In-browser auth
- HTTP: SSO
- MySQL: none
- User roles
m-ishizuka Reporter
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
When SSO(i only check custom sso with on-premiss gitlab), I can login another user with sso user or password user.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Enterbutton(notssonorLoginbutton)PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
I write details.
Impact
What kind of vulnerability is it? Who is impacted?
any users with only sso(without totp) or only password(without totp)
detail my config
environment: docker-compose + ghcr.io/warp-tech/warpgate:latest(ea9291a75109, v0.7.2? web interface says v0.7.1)
docker log is:
victim:
my-real-user: