An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the "Manage roles and permissions" privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges.
A user with 'Manage roles and permissions' privilege (assigned by default to the Administrator role) can execute a specially crafted API call that results in elevating their own account or another DOC user account to the Supervisor role. The Supervisor role has a higher permission level than Administrator, meaning the attacker gains full control over the system. The issue stems from insufficient server-side validation — the API does not verify whether the user making the request is authorized to grant the Supervisor role.
An attacker can obtain the highest level of permissions in the DriveLock system (Supervisor role), enabling complete takeover of configuration, security policies, and data managed by the platform, including in multi-tenant cloud environments.
DriveLock should be updated to version 25.1.6 or later. Detailed information is available in the vendor's security bulletin at: https://drivelock.help/sb/Content/SecurityBulletins/25-008-DESPrivilegeEsc.htm. In multi-tenant cloud environments, the update should be prioritized and user role assignments should be verified for unauthorized changes.
DriveLock versions 24.1.x, 24.2.x, and 25.1 prior to 25.1.6. The issue primarily affects cloud deployments in multi-tenant mode; on-premise installations in single-tenant mode are typically not vulnerable, as local administrators usually already have Supervisor permissions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrivelock
APPDrivelock24.1 – 24.1.624.2 – 24.2.825.1 – 25.1.6 (bez)
Related vulnerabilities
DriveLock — eskalacja uprawnień przez manipulację procesami uprzywilejowanymi
XSS w DriveLock Operations Center umożliwiający przejęcie sesji
DriveLock — obejście uwierzytelniania agenta (Auth Bypass) w DES
DriveLock — privilege escalation umożliwiające przejęcie kontroli nad systemem
An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unpriv...