CVE-2022-43138

Vulnerability

Analysis

The vulnerability lies in the REST API endpoints of the Users class in Dolibarr ERP/CRM. In versions prior to 14.0.1, several API methods such as get(), getByLogin(), and getByEmail() had their permission checks commented out, allowing any authenticated user to call them without proper authorization [1]. The commit that fixes this issue restores the checks for the user->user->lire permission, which verifies that the requester has read access to user data.

Exploitation

An attacker with a low-privileged account can exploit this by crafting API requests to the unprotected endpoints. For example, the get() method (which returns user details by ID) originally had its permission check disabled. An attacker could enumerate other users, including administrators, by sending direct API calls. According to an exploit published on Exploit-DB, this chain of issues can be used to compromise any Dolibarr user account, including the admin [3].

Impact

Successful exploitation leads to privilege escalation. The attacker gains unauthorized access to user data and potentially administrative functions. This could result in full compromise of the Dolibarr instance, exposing sensitive business data and allowing further malicious actions.

Mitigation

The vulnerability is patched in Dolibarr version 14.0.1 [1]. Users should upgrade immediately to the latest version. The official commit and the exploit-DB entry both reference the fix. No workarounds are mentioned, so upgrading is the recommended course of action [4].