CVE-2023-50713

Speckle Server API Token Privilege Escalation

Severity Score

5.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' scope or, using frontend-2, created a Personal Access Token (PAT) with `token write` scope. When creating a new token an agent needs to authorise the request with an existing token (the 'requesting token'). The requesting token is required to have token write scope in order to generate new tokens. However, Speckle server was not verifying that other privileges granted to the new token were not in excess of the privileges of the requesting token. A malicious actor could use a token with only token write scope to subsequently generate further tokens with additional privileges. These privileges would only grant privileges up to the existing privileges of the user. This vulnerability cannot be used to escalate a user's privileges or grant privileges on behalf of other users.

This has been patched as of version 2.17.6. All operators of Speckle servers should upgrade their server to version 2.17.6 or higher. Any users who authorized an application with 'token write' scope, or created a token in frontend-2 with `token write` scope should review existing tokens and permanently revoke any they do not recognize, revoke existing tokens and create new tokens, and review usage of their account for suspicious activity. No known workarounds for this issue exist.

Speckle Server proporciona servidor, interfaz, visor 3D y otras utilidades de JavaScript para la plataforma de datos Speckle 3D. Una vulnerabilidad en versiones anteriores a la 2.17.6 afecta a los usuarios que: autorizaron una aplicación que solicitó un alcance de "escritura de token" o, utilizando frontend-2, crearon un token de acceso personal (PAT) con alcance de "escritura de token". Al crear un nuevo token, un agente debe autorizar la solicitud con un token existente (el "token solicitante"). Se requiere que el token solicitante tenga alcance de escritura de token para poder generar nuevos tokens. Sin embargo, el servidor Speckle no estaba verificando que otros privilegios otorgados al nuevo token no excedieran los privilegios del token solicitante. Un actor malintencionado podría utilizar un token con alcance de escritura de token únicamente para generar posteriormente más tokens con privilegios adicionales. Estos privilegios solo otorgarían permisos hasta los privilegios existentes del usuario. Esta vulnerabilidad no se puede utilizar para escalar los privilegios de un usuario ni otorgar permisos en nombre de otros usuarios. Esto ha sido parcheado a partir de la versión 2.17.6. Todos los operadores de servidores Speckle deben actualizar su servidor a la versión 2.17.6 o superior. Cualquier usuario que haya autorizado una aplicación con alcance de "escritura de token" o haya creado un token en frontend-2 con alcance de "escritura de token" debe revisar los tokens existentes y revocar permanentemente los que no reconozcan, revocar los tokens existentes y crear nuevos tokens, y revisar uso de su cuenta para actividades sospechosas. No existen workarounds conocidas para este problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-11 CVE Reserved
2023-12-14 CVE Published
2024-08-02 CVE Updated
2024-11-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1220: Insufficient Granularity of Access Control

CAPEC

References (3)

URL	Tag	Source
https://github.com/specklesystems/speckle-server/releases/tag/2.17.6	Release Notes
https://github.com/specklesystems/speckle-server/security/advisories/GHSA-xpf3-5q5x-3qwh	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/specklesystems/speckle-server/commit/3689e1cd58ec4f06abee836af34889d6ce474571	2023-12-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Specklesystems Search vendor "Specklesystems"		Speckle Server Search vendor "Specklesystems" for product "Speckle Server"				< 2.17.6 Search vendor "Specklesystems" for product "Speckle Server" and version " < 2.17.6"		-		Affected