github Netflix/lemur v1.9.3

4 hours ago
  • Fixed missing authorization check (GHSA-4h97-p9wq-chqj_) on POST /certificates/<id>/export for plugins
    with requires_key = False (e.g. java-truststore-jks). The ownership check was previously skipped
    entirely for these plugins with no compensating control. Since such plugins never receive the real private
    key, any authenticated user may still use them regardless of ownership; plugins with requires_key = True
    continue to require ownership and log a key_view audit event, and only they are passed cert.private_key.
  • Fixed missing authorization on the replaces field (GHSA-cfh6-pv5c-38jv_), where any authenticated
    caller could reference an arbitrary certificate by ID on certificate create, upload, and edit requests,
    silencing its expiration notifications and retargeting its rotation without the owning team's knowledge.
    authorize_certificate_replacement now requires the caller to own or hold a role on every certificate
    named in replaces, consistent with the existing check for direct revoke/edit. Enforcement can be
    disabled via ENFORCE_REPLACES_AUTHORIZATION (defaults to True) for deployments that need to
    temporarily preserve the old behavior while they grant the appropriate role to affected workflows.
  • Fixed plaintext credential exposure via the destinations API (GHSA-6c8m-q6g9-vrw3_). Sensitive
    destination plugin options (e.g. SFTP password and private key passphrase) were returned in plaintext
    to any authenticated caller via GET /destinations, GET /destinations/<id>, and
    GET /certificates/<id>/destinations. Sensitive option values are now redacted for non-admin
    callers; admins retain the ability to view and edit them.
  • Fixed incomplete fix for ACME acme_url SSRF (GHSA-v5rc-cpwc-cfpr). The 1.9.2 fix for
    GHSA-v2wp-frmc-5q3v
    validated acme_url against ACME_DIRECTORY_HOST_ALLOWLIST only at
    authority creation time. Any user with a role on an existing ACME authority could still overwrite
    its stored acme_url with an internal/IMDS address via PUT /api/1/authorities/<id>, since the
    update path stored options verbatim with no re-validation. The next certificate issuance via that
    authority would then cause Lemur's backend to fetch the attacker-controlled URL. acme_url is now
    also validated against the allowlist on authority update.
  • Fixed SSRF via ACME client following server-controlled URLs (GHSA-xpmj-wjcp-6pww_). In addition to
    the acme_url allowlist check above, the ACME client itself no longer trusts hostnames supplied by
    the directory/order/authorization/finalize responses returned by the ACME server; outbound requests are
    now pinned to the configured, allowlisted directory host, closing a second SSRF vector where a malicious
    or compromised ACME server could redirect Lemur's backend to arbitrary internal URLs mid-issuance.
  • Fixed missing authorization check on sub-CA creation (GHSA-g7p5-89mh-248h_). When
    ADMIN_ONLY_AUTHORITY_CREATION is disabled, POST /api/1/authorities with
    type=subca never verified that the caller holds AuthorityPermission on the
    supplied parent authority, letting any authenticated non-read-only user mint a sub-CA
    chained off any internal root Lemur holds the private key for and issue trusted leaf
    certs under it. AuthoritiesList.post now enforces AuthorityPermission on the
    parent authority before delegating to the issuer plugin, matching the check already
    used when updating an existing authority.
  • Fixed arbitrary certificate revocation at the CA (GHSA-pxmc-2ffp-8j67_). Certificate identity was tracked
    only by Lemur's internal database row, not by the actual CA-side certificate. Any authenticated user could
    upload a duplicate record for a certificate they didn't own (matching an existing authority_id and
    serial) and then revoke it via PUT /api/1/certificates/<id>/revoke, causing the CA to revoke the
    real certificate belonging to another user. POST /api/1/certificates/upload now requires
    AuthorityPermission on the specified authority, and rejects uploads whose (authority_id, serial)
    pair already matches an existing certificate with a 409 response. PUT /api/1/certificates/<id>/revoke
    now also checks authorization and endpoint attachment against every certificate row sharing
    (authority_id, serial) with the one being revoked, not just the row named in the request, closing the
    gap for any duplicate rows that already exist.

.. _GHSA-4h97-p9wq-chqj: GHSA-4h97-p9wq-chqj
.. _GHSA-cfh6-pv5c-38jv: GHSA-cfh6-pv5c-38jv
.. _GHSA-6c8m-q6g9-vrw3: GHSA-6c8m-q6g9-vrw3
.. _GHSA-v5rc-cpwc-cfpr: GHSA-v5rc-cpwc-cfpr
.. _GHSA-v2wp-frmc-5q3v: GHSA-v2wp-frmc-5q3v
.. _GHSA-xpmj-wjcp-6pww: GHSA-xpmj-wjcp-6pww
.. _GHSA-g7p5-89mh-248h: GHSA-g7p5-89mh-248h
.. _GHSA-pxmc-2ffp-8j67: GHSA-pxmc-2ffp-8j67

Don't miss a new lemur release

NewReleases is sending notifications on new releases.