Advisory ID: DOPPLER-PSA-2023-001 Publication Date: 2023-05-22 Revision Date: 2023-05-22 Status: Confirmed, Fixed Document Revision: 1.1

Overview

Doppler has found and resolved an issue that allowed users on a workplace to exceed their privileges under certain Group configurations. Customers are not required to take any action in response to this issue.

Doppler discovered the issue internally on Friday, May 05, 2023. Doppler delivered a fix to production on Friday, May 19, 2023 and notified potentially impacted customers on Monday, May 22, 2023.

Description

During standard code review, Doppler's Engineering Team discovered that if a user was assigned one set of permissions to an environment in a project and another set of permissions to a different environment in the same project, the user would have the union of the permissions in both environments. This behavior is only possible to achieve via Groups.

Impact

A user had more permissions than the Doppler interface implied. An internal audit indicated that this impacted a single digit number of workplaces and that this issue was not abused. We have reached out to all workplaces that were affected by this bug.

Solution

A code fix remediating this vulnerability has already been deployed to the Doppler infrastructure. No action is necessary from customers.

Vulnerability Metrics

Vulnerability Class: CWE-285: Improper Authorization Remotely Exploitable: Yes Authentication Required: Yes Severity: High CVSSv3.1 Overall Score: 7.7 CVSSv3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Timeline

May 05, 2023 2:27 AM PT

Doppler Engineering notifies Doppler's Security Team about the issue.

May 05, 2023 3:20 PM PT

Doppler identifies and confirms the root cause.

May 19, 2023 12:50 PM PT

Doppler completes deployment of patched code to production and verifies the issue no longer exists.

May 22, 2023 18:00 PM PT