Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more
An attacker with access to the Conduit server can remove and add room aliases without proper authorization. By moving the #admins alias to a room they control, they gain access to privileged administrative commands. This allows them to, among other things, reset passwords of other users, sign data with the server key, deactivate user accounts, and perform other operations reserved for administrators.
An attacker can obtain full administrative privileges on the Conduit server, enabling them to take over user accounts, sign data using the server key, and deactivate any accounts — leading to compromise of the entire instance.
Conduit should be updated to version 0.8.0 or newer, released on June 12, 2024, which contains the fix for this vulnerability. Details are available in the vendor's references: https://conduit.rs/changelog/#v0-8-0-2024-06-12
Conduit in versions 0.7.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HConduit
APPConduit< 0.8.0
Related vulnerabilities
Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local ...
Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has comp...
Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user ...
Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain string...