Spaces Deletion IDOR
An Insecure Direct Object Reference (IDOR) vulnerability was discovered that allowed admins of one space to delete any space or organization on a Retool instance. Attackers leveraging this vulnerability could execute a DoS attack by deleting a target space.
To exploit this vulnerability, an attacker would need to have an active account with permissions to manage at least one space on an instance.
| Detail | Description |
|---|---|
| Vulnerability Type | CWE-284: Improper Access Control |
| Attack Type | Remote |
| Impact | Deletion of target spaces |
Affected and patched release versions
Retool has already patched this vulnerability on Retool Cloud and released the following patches for Stable and Edge channel releases of self-hosted Retool.
| Channel | Affected version | Patched version |
|---|---|---|
| Edge | 3.11.0 and earlier | 3.312.0 |
| 3.284 Stable | 3.284.0 to 3.284.7 | 3.284.8 |
| 3.253 Stable | 3.253.0 to 3.253.15 | 3.253.16 |