THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive #408
Comments
|
this issue has been reopened following the report made by Adam Mariš who was still able to escalate privileges of a user with read-only access using its own API key. |
|
The issue has been fixed, and its patch is being released |
|
CVE-2017-18376 was assigned for this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Request Type
Bug
Problem Description
A privilege escalation vulnerability has been identified in TheHive. It allows users with read-only or read/write access to escalate their privileges and eventually become administrators.
Conditions
To exploit the vulnerability, an attacker must have access to an account on TheHive with read-only or read/write privileges.
The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect To TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.
Impacted Versions
This vulnerability impacts all versions of TheHive as of this writing, including TheHive 3.0.2 (Cerana 0.2).
Possible Solutions
TheHive Project has confirmed the vulnerability and a hotfix for Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2) will be released very soon.
Credits
The vulnerability has been found and reported by Jeffrey Everling.
The text was updated successfully, but these errors were encountered: