praisonai-platform@0.1.2

Platform layer for PraisonAI — workspace, auth, issues, projects

  • latest version

    0.1.9

  • latest non vulnerable version

  • first published

    2 months ago

  • latest version published

    6 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the praisonai-platform package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Improper Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Improper Authorization in the DELETE process for workspace resources. An attacker can irreversibly remove content belonging to other users by sending DELETE requests to affected API endpoints while authenticated as a workspace member.

    How to fix Improper Authorization?

    Upgrade praisonai-platform to version 0.1.6 or higher.

    [,0.1.6)
    • M
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the create_issue and update processes. An attacker can manipulate project statistics of another workspace by supplying a foreign project_id in the request body during issue creation or update, causing unauthorized data to appear in the victim's project dashboard.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.8 or higher.

    [,0.1.8)
    • C
    Insecure Default Initialization of Resource

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the auth_service.py process. An attacker can gain unauthorized access to any user account and perform actions as that user by forging authentication tokens signed with the known default secret.

    How to fix Insecure Default Initialization of Resource?

    Upgrade praisonai-platform to version 0.1.6 or higher.

    [,0.1.6)
    • C
    Insecure Default Initialization of Resource

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the auth_service process. An attacker can gain unauthorized access to any user account, including workspace owners, by forging a JWT token using the publicly known default secret. This allows the attacker to impersonate users, access sensitive resources, and perform destructive actions such as deleting workspaces or removing legitimate members, all without prior authentication. This is only exploitable if the environment variable PLATFORM_JWT_SECRET is not explicitly set, as the default configuration leaves the application vulnerable.

    How to fix Insecure Default Initialization of Resource?

    Upgrade praisonai-platform to version 0.1.6 or higher.

    [,0.1.6)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the AgentService.get process. An attacker can access, modify, or delete resources belonging to other tenants by supplying a valid but unauthorized agent_id in API requests. This is only exploitable if the deployment is multi-tenant, the attacker is a member of any workspace, and the target agent's UUID is known or guessable.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization in the delete_workspace process. An attacker can irreversibly delete all workspace data, including projects, issues, comments, agents, labels, and member records, by sending a DELETE request to the relevant endpoint while authenticated as a workspace member. This is only exploitable if the attacker has any membership token in the target workspace.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the ProjectService.get process. An attacker can access, modify, or delete projects belonging to other workspaces by supplying a valid project_id without proper workspace ownership verification. This allows unauthorized reading, updating, deletion, and retrieval of project statistics across workspaces by any authenticated user who is a member of any workspace, provided they know or can guess the target project_id. This is only exploitable if the deployment is multi-tenant and the attacker possesses a valid workspace membership token.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the CommentService.create and CommentService.list_for_issue functions. An attacker can access and modify comments belonging to issues in other workspaces by supplying arbitrary issue_id values, allowing unauthorized reading of sensitive comment threads and injection of new comments into foreign issues.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization in the add_member process. An attacker can gain unauthorized owner-level access to any workspace by submitting a crafted POST request to the relevant endpoint with a valid member-level token and specifying any user ID and the "owner" role in the request body. This allows the attacker to escalate privileges and control workspace settings, add or remove members, or exfiltrate data by leveraging the new owner account.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization through insufficient permission checks in the update_workspace process. An attacker can modify workspace metadata and inject arbitrary configuration settings by sending crafted PATCH requests to the relevant endpoint while authenticated as a workspace member. This may allow manipulation of feature flags, webhook URLs, or other sensitive settings, potentially leading to unauthorized control over workspace behavior.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the IssueService.get, update, and delete functions, which do not verify workspace ownership when accessing issues by ID. An attacker can read, modify, or delete issues belonging to other workspaces by supplying a valid issue UUID and being a member of any workspace. This allows unauthorized access to confidential information, unauthorized modification of issue data, and deletion of issues across workspaces.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization in the service layer for issues and projects, which performs global primary-key lookups without verifying workspace ownership. An attacker can access, modify, or delete resources belonging to any workspace by substituting UUIDs in API requests, and escalate privileges by promoting themselves to owner and removing other owners through insufficient role enforcement in member management endpoints.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization in the require_workspace_member process. An attacker can gain unauthorized control over workspace membership and escalate privileges by exploiting insufficient role checks on administrative routes.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • C
    Incorrect Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Incorrect Authorization via improper authorization checks in the require_workspace_member process. An attacker can gain unauthorized access to resources across different workspaces, escalate privileges to admin or owner, remove other members, and delete workspaces by manipulating URL parameters and exploiting insufficient role enforcement.

    How to fix Incorrect Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the list_issue_activity process. An attacker can access sensitive activity logs of issues belonging to other workspaces by supplying a valid issue UUID, allowing them to view detailed operational records, actor identities, actions performed, and potentially confidential information contained in the details field.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the DependencyService process. An attacker can access, modify, or delete dependencies across different workspaces by supplying arbitrary issue or dependency IDs, allowing unauthorized linking, reading, and removal of issue relationships in other tenants.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the LabelService process, which fails to verify that label_id and issue_id belong to the authenticated user's workspace. An attacker can modify, delete, or associate labels across different workspaces by supplying arbitrary IDs in API requests. This allows unauthorized access and manipulation of labels and issues in other tenants, potentially corrupting data integrity, exposing label associations, and disrupting triage workflows. This is only exploitable if the deployment is multi-tenant and the attacker possesses a valid workspace membership token and can obtain or guess target IDs.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Authorization Bypass Through User-Controlled Key

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the process that handles workspace-scoped object access. An attacker can gain unauthorized access to, modify, or delete objects belonging to other workspaces by supplying a global object ID from a different workspace while authenticated to their own workspace.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization through the remove function. An attacker can remove any member, including the workspace owner, by sending a crafted DELETE request to the relevant endpoint while authenticated as a member. This results in the legitimate owner being permanently locked out of the workspace, allowing the attacker to take full control.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • H
    Missing Authorization

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Missing Authorization in the update_member_role process. An attacker can gain unauthorized administrative privileges by sending a crafted PATCH request to the affected endpoint, allowing them to escalate their own or another user's role within a workspace without proper permission checks.

    How to fix Missing Authorization?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)
    • C
    Use of Hard-coded Credentials

    praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects

    Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the auth_service.py process when the JWT signing key defaults to a hardcoded value if the required environment variables are not explicitly set. An attacker can gain unauthorized access to any user account by forging authentication tokens using the known default secret. This is only exploitable if both PLATFORM_JWT_SECRET and PLATFORM_ENV are not explicitly set in the deployment environment.

    How to fix Use of Hard-coded Credentials?

    Upgrade praisonai-platform to version 0.1.4 or higher.

    [,0.1.4)