- Notifications
You must be signed in to change notification settings - Fork 82
SKA security advisory: insufficient validation of group access rule edit privileges
Thomas Pike edited this page Sep 15, 2025 · 4 revisions
It was discovered that /groups/{group}/access_rules/{id} accepted POSTs from any authenticated user, allowing them to overwrite SSH authorized_keys options for all group members, regardless of whether they are in the specified group or not.
Privilege escalation and risk of access disruption.
This issue was fixed in commit aa71765.
This issue was identified, reported, and resolved by MegaManSec in #78.