Impact
Any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access.
The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins.
Note: As per our threat model documentation, which covers our "assumed level of trust", all users must be trusted. Staff users have a high level of privileges, this flag should only be applied to strictly controlled and trusted accounts.
Patches
The vulnerability has been patched in version 1.2.7, and the upcoming 1.3.0 release. These versions now require superuser access to install a plugin.
Workarounds
To prevent this vulnerability from being exploited in unpatched versions of InvenTree, the system administrator can:
- Disable plugins entirely via the
PLUGINS_ENABLED environment variable
- Disable runtime plugin installation via the
INVENTREE_PLUGIN_NOINSTALL environment variable
References
DAVIDAROCA27 Reporter
Impact
Any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access.
The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins.
Note: As per our threat model documentation, which covers our "assumed level of trust", all users must be trusted. Staff users have a high level of privileges, this flag should only be applied to strictly controlled and trusted accounts.
Patches
The vulnerability has been patched in version 1.2.7, and the upcoming 1.3.0 release. These versions now require superuser access to install a plugin.
Workarounds
To prevent this vulnerability from being exploited in unpatched versions of InvenTree, the system administrator can:
PLUGINS_ENABLEDenvironment variableINVENTREE_PLUGIN_NOINSTALLenvironment variableReferences