Affected Components: Fabasoft eGov-Suite 2019/2020/2021/2022
Severity: not scored
First published: 10.03.2022
Users with a position that has not granted system administrative permissions, may have permissions to edit their own user object, allowing them to self-assign a user role / position with system administrative permissions.
In the Fabasoft eGov-Suite, some positions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") are limited administrative positions, but have permissions to edit their own user object to add the "Systemadministration" position to their own and others user object.
Dependent to the Fabasoft Solution and custom ACLs at the customer's installation, the security leak may or may not be exploited by restricted administrators.
A Fabasoft eGov-Suite user with restricted administrative permissions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") may be possible to edit the own user object. The user would be possible to add a user role with full administrative privileges.
Please double-check all active user objects for the assigned user roles. Check, that only allowed users have the System Administration position.
Fabasoft provides hotfixes for the following Fabasoft eGov-Suite versions:
- Fabasoft eGov-Suite 2022 (from 22.214.171.124.18)
- Fabasoft eGov-Suite 2021 Update Rollup 3 (from 126.96.36.199.121)
- Fabasoft eGov-Suite 2020 Update Rollup 5 (from 188.8.131.52.34)
- Fabasoft eGov-Suite 2019 Update Rollup 3 (from 184.108.40.206.51)
The correction is already included in:
- Fabasoft eGov-Suite 2022 Update Rollup 1
- Fabasoft eGov-Suite 2022 April Release
With the corrected functionality, a special security check is performed when the user roles and tenants are tried to be changed. Furthermore, an auditlog entry is written on any change of the user roles.
Fabasoft recommends to contact your Fabasoft representative to check your installation against the issue.