Advisory ID: DOPPLER-PSA-2023-003 Publication Date: 2023-11-07 Revision Date: 2023-11-07 Status: Confirmed, Fixed Document Revision: 1.0

Overview

Doppler has found and resolved an issue that allowed users in a workplace with the built-in “Admin” role to exceed their privileges using custom roles. Customers are not required to take any action in response to this issue.

Doppler received a bug bounty report on Wednesday, October 18th, 2023 identifying a discrepancy in Doppler’s permissions documentation. The issue was reclassified as an authorization vulnerability on Tuesday, November 7, 2023 and Doppler delivered a fix to production on the same day. An audit was completed immediately after the fix was delivered and concluded that no workplaces were impacted.

Description

A report was submitted to Doppler’s public bug bounty program on October 18th, 2023, identifying a discrepancy in Doppler’s permission documentation. The researcher identified that users with the Admin workplace role should have read-only access to custom roles but were actually able to manage custom roles — including the ability to modify the permissions assigned to custom roles.

The behavior was confirmed by a security analyst and the submission was classified as an issue with Doppler’s documentation. Upon further discussion with the researcher, it was identified on November 6th, 2023 that the Admin role should not have the ability to manage custom roles because it would allow Admin users to grant permissions that they wouldn’t normally have.

Impact

A user with the Admin role could modify the permissions for a custom role. This would allow the user to grant the custom role permissions that the Admin does not have (e.g. team management, billing, workplace settings, etc.). This issue was only exploitable by users with the built-in Admin role in workplaces using custom roles. An internal audit indicated that this bug was not abused, either intentionally or accidentally.

Solution

A code fix remediating this vulnerability has been deployed to Doppler’s infrastructure. No action is required from customers.

Next Steps

Vulnerability Metrics

Vulnerability Class: CWE-863: Incorrect Authorization Remotely Exploitable: Yes Authentication Required: Yes Severity: Medium CVSSv3.0 Overall Score: 5.0 CVSSv3.0 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

October 18, 2023

• Bug bounty report is submitted and classified as a documentation issue

November 6, 2023

• After discussion with the researcher, the problem is reclassified as an authorization vulnerability

November 7, 2023