[Question] A security issue?

[o101010]

Request Type

Question

Work Environment

Question	Answer
OS version (server)	All
OS version (client)	All
Virtualized Env.	True / False
Dedicated RAM	XX GB
vCPU	4 / 8 / 16 / 32
TheHive version / git hash	4.x, hash of the commit
Package Type	RPM, DEB, Docker, Binary, From source
Database	Cassandra / BerlkelyDB
Index type	Lucene / Elasticsearch
Attachments storage	Local, NFS, S3, HDFS
Browser type & version	If applicable

Question

Hi.
Thank you for your amazing job on cortex and thehive. I'm exited by the next relase of cortex4, when i seen work on thehive4.

During my work on Thehive4 (and cortex3), I imagine a way to pass from one organization to another. In my opinion, it's a security issue that impact the confidentiality (an integrity).

Steps are pretty simple:

1. Log as orgAdmin
2. Create a new user that is already in another organization
3. Reset his password (or create an API key)
4. Log off yourself and login with this new account
5. You have access to the two organizations.

It's due to the fact that TheHive autolink login user through multiple organizations.
A way to mitigate this issue is to separate local passwords* on differents organization. For delagated autentication flow (ad, oauth2, ...), this is not a problem because password can't be reset by TheHive. But local authenticate flows have priority by default.

[To-om]

You're right. But having a different password for each organisation is not desirable (and currently not feasible in TheHive).
I think the reset password should be avaiable only if the org-admin has the "manageUser" permission on all organisations of the targeted user. If this org-admin doesn't exist on the platform, the user must ask the super admin. This constaint could be ennoying but this is the only solution I see to mitigate the security risk.