CVE-2019-11218: Privilege escalation in Bonobo Git Server AccountController

• Vulnerability Type: CWE-235: Improper Handling of Extra Parameters
• Vendor: Jakub Chodounsky
• Affected Product: Bonobo Git Server - 6.3.0 (other versions has not been assessed)
• Affected Component: AccountController
• Attack Type: Remote
• Impact: Privilege escalation
• Attack Vectors: web form submission

Improper Handling of Extra Parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server 6.3.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions.

Bonobo.Git.Server/Controllers/AccountController.cs application logic in public ActionResult Edit(UserEditModel model) does not properly validate form submission of the user profile modification when modifying user's own profile. Appending PostedSelectedRoles results in arbitrary role assignment to the profile. Subsequent refresh of the the session (relog) is needed to the change to take effect.

The issue is fixed in version 6.5.0.

• 2019-04-08 – vendor notification
• 2019-04-08 – vendor responded, affected product is not under development or maintenance
• 2019-04-12 – CVE assigned
• 2019-04-13 – opened issue in github.com to reach other contributors jakubgarfield/Bonobo-Git-Server/issues/831
• 2019-04-15 – vulnerability internally disclosed to the current maintainer
• 2019-04-20 – fixed version released by vendor/contributors; https://bonobogitserver.com/changelog/#version-650
• 2019-04-25 – full description published