Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage

Summary

This vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster.

CWE Classification: CWE-862 (Missing Authorization)

Details

Vulnerability Mechanism

Devtron uses a JWT-based API Token mechanism for authentication. All API Tokens are signed using HMAC-SHA256 with the apiTokenSecret stored in the database. This key is exposed through the Attributes API, but the authorization check code for this API has been commented out, allowing any authenticated user to read it.

Source Code Analysis

Vulnerability Location: api/restHandler/AttributesRestHandlder.go:173-195

func (handler AttributesRestHandlerImpl) GetAttributesByKey(w http.ResponseWriter, r *http.Request) {
    // Only checks if user is logged in
    userId, err := handler.userService.GetLoggedInUser(r)
    if userId == 0 || err != nil {
        common.HandleUnauthorized(w, r)
        return
    }

    // CRITICAL: RBAC check is commented out
    /*token := r.Header.Get("token")
    if ok := handler.enforcer.Enforce(token, rbac.ResourceGlobal, rbac.ActionGet, "*"); !ok {
        WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
        return
    }*/

    // Directly retrieves any attribute without authorization
    vars := mux.Vars(r)
    key := vars["key"]
    res, err := handler.attributesService.GetByKey(key)
    if err != nil {
        handler.logger.Errorw("service err, GetAttributesById", "err", err)
        common.WriteJsonResp(w, err, nil,...