CVE-2023-22903

Vulnerability

The file api/views/user.py in LibrePhotos prior to commit e19e539 contained incorrect access control logic. The UserViewSet used overly permissive permission classes, notably allowing AllowAny for the list action and using IsUserOrReadOnly as a fallback [1]. This permitted unauthenticated users to list all user accounts and perform other unauthorized actions depending on the request method. The fix changes the default permission to IsAdminUser, restricts listing to admin users, and adds a check that only the first superuser can create an initial account without authentication.

Exploitation

An attacker does not need authentication to exploit this vulnerability. By sending a crafted HTTP request (e.g., GET to the user list endpoint) before authentication, the server would return the list of all users due to the AllowAny permission for the list action. Additionally, after an initial admin user exists, an unauthenticated attacker could potentially create new user accounts or modify user data if the flawed permission logic allowed it [1].

Impact

Successful exploitation results in unauthorized access to sensitive information (disclosure of all user accounts) and the ability to create or modify user records without proper privileges. This could lead to further compromise of the LibrePhotos instance, such as privilege escalation or data manipulation.

Mitigation

The vulnerability was fixed in commit e19e539 on 2022-01-05. Users must update LibrePhotos to a version that includes this commit or later. There are no known workarounds, and the affected software is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.