3.15.6
During a routine security audit of Aleph we’ve become aware of
Please find detailed information about the patched vulnerabilities below:
Downloaded source files are opened automatically
Summary
As part of the investigations feature, users can upload files to Aleph. The detail view in Aleph offers a sanitized preview of a file, but Aleph also allows users to download (unsanitized) source files. When downloading a source file, Aleph displays a confirmation prompt warning that source files may contain malware or notify the originator of the file.
After downloading a source file, files are opened automatically in the same browser window if the file’s MIME type is supported by the browser. This contradicts the warning that is displayed before downloading the file and potentially enables phishing attacks. For instance, an HTML file resembling the Aleph login interface could be uploaded for this purpose.
Affected versions
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have configured your Aleph instance to use Google Cloud Storage or AWS S3 (or a service compatible with S3) as a storage backend for files uploaded to Aleph via the “ARCHIVE_TYPE” configuration option. The default storage backend that stores files on the local file system is not affected.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions set the “Content-Disposition” header to instruct browsers to download files as an attachment instead of opening them after the download has completed.
HTML injection in notification emails
Summary
Aleph sends a daily notification digest via email to users. Notification digests are enabled by default and can be disabled by users.
When a user creates an investigation and then shares it with another user who has daily notification digests enabled, the name of the user who created the investigation and the name of the investigation aren’t properly sanitized or encoded.
This means that links and other HTML markup included in the user’s name or in the investigation name will be rendered as is in the notification email which can enable (targeted) phishing campaigns.
Affected versions
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have set up email sending for your Aleph instance via the “ALEPH_MAIL_*” configuration options.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly encode user-controlled data in notification emails.
Unauthorized access to mapping metadata
Summary
Aleph allows users to create entity mappings for uploaded spreadsheets. Using this feature, rows in a spreadsheet can be converted to FollowTheMoney entities in an investigation.
The access controls in the API endpoints for the mappings feature contain a bug that allows users without read or write access to the collection to view, update, trigger, and delete mappings as well as to delete or modify entities generated using a mapping.
The bug allows unauthorized access to the following mapping metadata:
- Mapping definition (this includes column names in the source spreadsheet)
- ID of the investigation a mapping belongs to
- User ID of the user who created the mapping
- Creation and update timestamps
- Mapping status (“pending”/”successful”/”error” and the error message in case the status is “error”)
- Entity ID of the source table
The bug does not allow users to view the entities generated from the mappings or the contents of the source spreadsheet.
Affected versions
Aleph versions up to and including 3.15.5.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when sending requests to the API endpoints for the mappings feature.
Unauthorized overrides of investigation and dataset metadata
Summary
Aleph allows users to manage metadata for investigations and datasets, including a label and a description as well as URLs to the publisher and source of the data. The metadata is displayed in the Aleph UI when viewing investigations and datasets.
Aleph allows users to specify a “foreign_id” when creating new investigations or datasets. The “foreign_id” can be used to reference the investigation or dataset when using the Aleph API or the alephclient CLI.
Due to a bug, when creating a new investigation or dataset with a “foreign_id” that is already used by another investigation or dataset, Aleph updates the metadata of the existing investigation/dataset instead of failing.
This bug allows users without the necessary permissions to update investigation and dataset metadata.
However, the bug does not allow unauthorized users to view investigation and dataset metadata or data added or uploaded to the investigation or dataset.
Affected versions
Aleph versions up to and including 3.15.5.
Solution
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when creating or updating investigations or datasets.
Unauthorized access to uploaded files
Summary
Aleph allows uploading files to investigations and datasets. When a file is uploaded Aleph computes a checksum of the file contents and stores the checksum in the database. The uploaded file can later be retrieved using checksum as a reference. File checksums are represented as strings of hexadecimal characters, for example “ae9ce53fa78166704f5990601ec412d73fb1698a”.
Due to a bug in ingest-file users are able to upload specifically crafted files in order to create file records in the database with arbitrary checksums. This allows users to download files they do not have access to if they know the checksum of the file contents.
Affected versions
ingest-file versions up to and including 3.20.2. ingest-file is the component responsible for handling files you upload to Aleph.
Solution
ingest-file versions 3.20.3 and newer contain a patch for this vulnerability. The patch removes the ability to upload JSONL files that contain entities in the FollowTheMoney format to Aleph. If you have previously used this feature to create FollowTheMoney entities in Aleph in bulk, we recommend that you use the bulk endpoint of the Aleph API instead.