Advisory ID: DOPPLER-PSA-2023-002 Publication Date: 2023-07-14 Revision Date: 2023-07-14 Status: Confirmed, Fixed Document Revision: 1.0

Overview

Doppler has found and resolved an issue that allowed users in a workplace to exceed their privileges under certain Group configurations. Customers are not required to take any action in response to this issue.

Doppler discovered the issue internally on Thursday, July 13, 2023 and delivered a fix to production on the same day. An audit was completed on Friday, July 14, 2023 and concluded that no workplaces were impacted.

Description

During standard code review, Doppler's Engineering Team discovered an authorization vulnerability stemming from the use of Groups. If a user was granted the ability to write secrets to at least one environment within a project, they would be allowed to write secrets to any environment in that project in which they were granted some level of access, even if that access did not include the ability to write secrets.

A similar issue was discovered and corrected in DOPPLER-PSA-2023-001. The “Apply to Other Environments” feature uses bespoke authorization logic and was thus not identified or corrected as part of that incident.

Impact

A user with multiple permission grants on a project could have had more permissions than the Doppler interface implied. This was only exploitable via the “Apply to Other Environments” feature exposed in the Doppler dashboard, and all writes would have been logged to the Config Log and Activity Log. An internal audit indicated that this bug was not abused, either intentionally or accidentally.

Solution

A code fix remediating this vulnerability has been deployed to Doppler’s infrastructure. No action is required from customers.

Next Steps

This is the second incident to occur related to Group permissions. We will be conducting an internal postmortem and review of all other permission checks that are impacted by Groups. We will also work to consolidate these permission checks so that this authorization logic occurs in a single place without bespoke checks. This is a pattern we have generally followed throughout our codebase, with few exceptions, however these exceptions are now worth revisiting.

Vulnerability Metrics

Vulnerability Class: CWE-285: Improper Authorization Remotely Exploitable: Yes Authentication Required: Yes Severity: Medium CVSSv3.1 Overall Score: 5.2 CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L

Timeline

July 13, 2023 11:33 PT

Doppler identifies the issue and confirms the root cause.

July 13, 2023 14:42 PT

Doppler completes deployment of patched code to production and verifies the issue no longer exists.