cbcvebase.
CVE-2023-32749
published 2023-06-08

CVE-2023-32749: Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.20%
96.1th percentile
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Affected

2 ranges
VendorProductVersion rangeFixed in
pydiocells< 3.0.123.0.12
pydiocells>= 4.1.0 < 4.1.34.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/a/user/newuser
url/a/user
url/a/user/foobar
otherprofile: shared
  • Monitor for HTTP PUT requests to the /a/user/<username> REST API endpoint originating from non-administrative user sessions, especially where the request body contains a non-empty 'Roles' array — this indicates an attempt to assign arbitrary roles during external user creation.
  • Alert on PUT /a/user/* requests where the JSON body includes a 'Roles' key with more than the default two role entries (EXTERNAL_USERS role and the user's own role UUID), as this is the mechanism used to escalate privileges.
  • Detect enumeration of all users and their roles via unauthenticated or low-privilege POST to /a/user with an empty JSON body '{}', which is used to harvest all role UUIDs prior to exploitation.
  • Flag newly created external users (profile=shared) that immediately authenticate and access multiple workspaces/cells, as this is the post-exploitation access pattern after successful role assignment.
  • Correlate a GET/POST to /a/user (role enumeration) followed shortly by a PUT to /a/user/<new_username> from the same Bearer token as a high-confidence attack sequence indicator.
  • ·The external user creation feature is enabled by default, making all default Pydio Cells installations exploitable without any additional configuration by the attacker.
  • ·As a workaround prior to patching, disabling external user creation in the authentication settings eliminates the attack surface entirely.
  • ·The vulnerability affects Pydio Cells 4.1.2 and earlier; fixed versions are 4.2.0, 4.1.3, and 3.0.12. Detection rules should be scoped to instances running versions prior to these.
  • ·Exploitation requires only a regular (non-admin) user account; no special privileges are needed to trigger the vulnerability, lowering the bar for attackers significantly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.