Authorization Bypass Through User-Controlled Key in cloudexplorer-dev/cloudexplorer-lite

Vulnerability

An authorization bypass vulnerability exists in the getF2CPerfMetricList method of vm-service/backend/src/main/java/com/fit2cloud/provider/impl/huawei/api in CloudExplorer Lite prior to v1.1.0 [1]. The issue is that the regionId parameter is set directly from the incoming request without proper validation, as shown in the code diff where getMetricsRequest.setRegionId(getMetricsRequest.getRegionId()) is added [1]. This allows an attacker who can craft API requests to control the region key used in subsequent operations, bypassing intended access controls [2]. The vulnerability affects all versions before the commit d9f55a44e579d312977b02317b2020de758b763a merged via PR #176 [1].

Exploitation

An attacker must have network access to the CloudExplorer Lite instance and must be able to send authenticated or unauthenticated API requests depending on the deployment configuration [2]. The attacker can manipulate the regionId parameter in a request to a value corresponding to a region they should not have access to, leveraging the user-controlled key to bypass authorization checks that were originally intended to restrict access based on the authenticated user's permitted regions [2]. No other special privileges or race conditions are required; the vulnerability can be triggered by simply sending a crafted request [1][2].

Impact

Successful exploitation allows an attacker to access cloud resource performance metrics and possibly other data for regions to which they are not authorized, leading to unauthorized information disclosure [2]. The attacker could enumerate or view monitoring data for cloud resources in the controlled region, potentially revealing sensitive operational details [1][2]. The impact extends to any operation that relies on the regionId key for authorization, as the control resides in the user-supplied value.

Mitigation

The fix was introduced in version v1.1.0, which includes the commit d9f55a44e579d312977b02317b2020de758b763a [1]. Users should upgrade to CloudExplorer Lite v1.1.0 or later immediately [2]. The repository has since been archived and is read-only as of March 31, 2026 [1], so no further patches will be released; however, the fixed version remains available. No workarounds are disclosed in the references [2].