Source: security-advisories@github.com
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
Plane.io, a project management tool, suffers from an information disclosure vulnerability allowing unauthenticated users to enumerate workspace members and potentially identify administrator email addresses. This flaw, present in versions prior to 1.2.0, exposes sensitive user data, enabling attackers to conduct targeted attacks like phishing or credential stuffing against identified administrators.
Step 1: Access the API Endpoint: A guest user accesses the vulnerable API endpoint: /api/workspaces/:slug/members/. The :slug parameter represents the workspace identifier.
Step 2: Request Processing: The server processes the request without proper authorization checks.
Step 3: Data Retrieval: The server retrieves the list of workspace members from the database.
Step 4: Information Disclosure: The server returns a JSON response containing the member list, including their display_name field, which is the email address.
Step 5: Email Harvesting: The guest user parses the response and extracts the email addresses of all workspace members, including administrators.
The vulnerability stems from a lack of proper access control on the /api/workspaces/:slug/members/ endpoint in Plane.io versions before 1.2.0. The API endpoint, intended for authorized users to view workspace members, was accessible to guest users. The response from this endpoint included the display_name field, which was, in reality, the user's email address. This design flaw allowed unauthorized users to enumerate all members of a workspace, including administrators, by simply knowing the workspace slug. The root cause is a missing authorization check on the API endpoint, failing to verify the user's role or permissions before returning sensitive user information. The fix implemented in version 1.2.0 likely involved adding an authentication and authorization check to the API endpoint, ensuring that only authenticated users with appropriate permissions can access the member list.
While no specific APTs are known to be actively exploiting this vulnerability, the information disclosure nature of the flaw makes it attractive for initial reconnaissance by various threat actors. This type of vulnerability can be used as a stepping stone for more sophisticated attacks. Not listed on CISA KEV.
Network monitoring for unauthorized access to the /api/workspaces/:slug/members/ endpoint.
Web server logs analysis for suspicious HTTP requests to the vulnerable endpoint, specifically from unauthenticated or guest users.
Intrusion Detection System (IDS) rules to flag requests to the vulnerable endpoint.
Reviewing application logs for unexpected API calls or user enumeration attempts.
Upgrade to Plane.io version 1.2.0 or later.
Implement robust authentication and authorization checks on all API endpoints, especially those handling sensitive data.
Review and audit all API endpoints for potential information disclosure vulnerabilities.
Implement rate limiting to prevent excessive API requests from a single source.
Regularly scan the application for known vulnerabilities using vulnerability scanners.