Skip to content
This repository was archived by the owner on Jul 7, 2026. It is now read-only.

Any user can revoke arbitrary certificates at the CA by uploading a duplicate record and revoking it

High
PJ1288 published GHSA-pxmc-2ffp-8j67 Jul 6, 2026

Package

pip lemur (pip)

Affected versions

<= 1.9.2

Patched versions

1.9.3

Description

[LEMUR-BUG-08] Any user can revoke arbitrary certificates at the CA by uploading a duplicate record and revoking it

Summary

Repo under test: https://github.com/Netflix/lemur

PUT /api/1/certificates/<id>/revoke authorizes the caller against the Lemur database row (creator == current user, or CertificatePermission over the row's roles) rather than the underlying CA-side certificate identity. Separately, POST /api/1/certificates/upload lets any user passing StrictRolePermission create a new Certificate row while freely supplying body, authority (resolved by id/name with no AuthorityPermission check) and external_id; there is no uniqueness constraint on body, serial, or external_id.

An attacker can therefore read a target certificate's public body, authority.id, and external_id via GET /certificates/<id>, upload a duplicate row, and revoke that duplicate. The creator-bypass skips CertificatePermission, the empty-endpoints check passes because the duplicate has none, and service.revoke() then revokes at the CA using the attacker-supplied body (ACME) or external_id (DigiCert/Entrust/Google CA/CFSSL) under the authority's stored CA credentials — revoking the real production certificate.

Affected route

POST /api/1/certificates/uploadPUT /api/1/certificates/<dup_id>/revoke

Affected code

Impact

A low-privileged authenticated insider (or holder of a stolen non-admin token/API key) can revoke any certificate managed by Lemur — including high-value certificates they do not own and certificates currently attached to live endpoints — directly at the issuing CA. Iterating over GET /certificates yields fleet-wide revocation (mass DoS of TLS endpoints) without ever passing an AuthorityPermission or CertificatePermission check on the victim certificate. This is exactly the "Revocation as DoS vector" scenario flagged in the threat model and additionally defeats the built-in "cannot revoke while attached to endpoint" safeguard.

Root cause

Revocation authority is bound to ownership of the Lemur DB row, not to the CA-side certificate identity. Because upload allows creating a second row that aliases the same CA-side certificate (same body / external_id / authority) without any uniqueness constraint or AuthorityPermission check, the attacker can manufacture a row they own and then exercise the creator-bypass on revoke. The endpoint-attached guard inspects only the duplicate row's cert.endpoints, which is empty.

Validated evidence

Static path trace, confirmed by code inspection (validation status: CONFIRMED):

  • Upload is gated only by StrictRolePermission (default-open to any non-read-only user) and accepts attacker-chosen authority + external_id + body without an AuthorityPermission check.
  • Certificate.body / external_id have no uniqueness constraint, so a duplicate row is created.
  • The revoke endpoint short-circuits the owner check when caller is the row creator, and the endpoint-attached guard inspects only the duplicate row.
  • Issuer plugins revoke at the CA using body / external_id taken from the duplicate row under the authority's stored CA credentials.

Proof of concept / reproducer

Status: reconstructed from source report (static control-flow trace; not executed against a live CA — revoking at a real CA is destructive).

Preconditions: attacker is an authenticated Lemur user holding any role other than read-only. <VICTIM_CERT_ID> is any certificate id readable via GET /api/1/certificates.

# 1. Read the victim's body / authority / external_id (exposed to any authenticated user)
curl -sS "<TARGET_BASE_URL>/api/1/certificates/<VICTIM_CERT_ID>" \
  -H "Authorization: Bearer <AUTH_TOKEN>" \
  | jq '{body, external_id, authority: .authority.id}'

# 2. Upload a duplicate row aliasing the same CA-side certificate
curl -sS -X POST "<TARGET_BASE_URL>/api/1/certificates/upload" \
  -H "Authorization: Bearer <AUTH_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
        "name": "victim-dup",
        "owner": "attacker@example.com",
        "body": "<VICTIM_BODY_PEM>",
        "authority": {"id": <VICTIM_AUTHORITY_ID>},
        "externalId": "<VICTIM_EXTERNAL_ID>"
      }'
# → returns {"id": <DUP_ID>, ...}; attacker is now cert.user of <DUP_ID>

# 3. Revoke the duplicate — issuer plugin revokes at the CA by body/external_id
curl -sS -X PUT "<TARGET_BASE_URL>/api/1/certificates/<DUP_ID>/revoke" \
  -H "Authorization: Bearer <AUTH_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"crlReason": "unspecified"}'

Static-trace validation command from the source report:

grep -n 'StrictRolePermission' lemur/certificates/views.py | grep -v Authority
grep -n 'cert.authority = kwargs.get' lemur/certificates/service.py
grep -n 'g.current_user != cert.user' lemur/certificates/views.py
grep -n 'certificate.external_id\|certificate.body' \
  lemur/plugins/lemur_acme/acme_handlers.py \
  lemur/plugins/lemur_digicert/plugin.py \
  lemur/plugins/lemur_entrust/plugin.py

Source artifact: audit/harnesses/public-repo-threat-model-harness/results/netflix-lemur-100run-mythos-20260627T051129Z/findings.jsonl (run_050, finding cluster lemur-revoke-via-duplicate, 2/100 runs).

Suggested fix

Decouple CA-side revocation authority from Lemur row ownership:

  1. On POST /certificates/upload, if authority is supplied enforce AuthorityPermission for that authority, and reject/ignore caller-supplied external_id.
  2. Before calling plugin.revoke_certificate, look up all Certificate rows sharing the same (authority_id, serial) or body and require CertificatePermission on every match (and run the endpoint-attached check against all matches).
  3. Consider a DB uniqueness constraint or dedup on (authority_id, serial) so a second row for the same CA-issued certificate cannot be created.
  4. Stop exposing external_id in CertificateOutputSchema to non-owners.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVE ID

No known CVE

Weaknesses

No CWEs

Credits