[VULN-176] - [Privilege Escalation] - Unauthorised access allows limited access user to change password of Items

[jaasen-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/VULN-176

📔 Objective

This PR fixes an issue with "hidden password" users able to update passwords.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 49b8848e-4b3b-419b-b5ab-215e4bd49400

New Issues (8)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Api/Controllers/CollectionsController.cs: 171	details Method Put at line 171 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows... Attack Vector
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 87	details Method Put at line 87 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value... Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 164	details Method Put at line 164 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 94	details Method Put at line 94 of /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs gets a parameter from a user request from model. This param... Attack Vector
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 104	details Method Patch at line 104 of /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs gets a parameter from a user request from model. This pa... Attack Vector
	CSRF	/src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 133	details Method Put at line 133 of /src/Api/AdminConsole/Public/Controllers/GroupsController.cs gets a parameter from a user request from model. This parame... Attack Vector
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 97	details Method Put at line 97 of /src/Api/Controllers/DevicesController.cs gets user input from element model. This element’s value flows through the code ... Attack Vector
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 97	details Method Put at line 97 of /src/Api/Controllers/DevicesController.cs gets user input from element model. This element’s value flows through the code ... Attack Vector

Fixed Issues (20)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164

[codecov]

Codecov Report

Attention: Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.

Project coverage is 44.46%. Comparing base (326eceb) to head (660831e).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...re/Vault/Services/Implementations/CipherService.cs	88.88%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5452      +/-   ##
==========================================
+ Coverage   44.44%   44.46%   +0.02%     
==========================================
  Files        1529     1530       +1     
  Lines       70981    71016      +35     
  Branches     6367     6375       +8     
==========================================
+ Hits        31546    31578      +32     
+ Misses      38070    38069       -1     
- Partials     1365     1369       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud