Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive #408
A privilege escalation vulnerability has been identified in TheHive. It allows users with read-only or read/write access to escalate their privileges and eventually become administrators.
To exploit the vulnerability, an attacker must have access to an account on TheHive with read-only or read/write privileges.
The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect To TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.
This vulnerability impacts all versions of TheHive as of this writing, including TheHive 3.0.2 (Cerana 0.2).
TheHive Project has confirmed the vulnerability and a hotfix for Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2) will be released very soon.
The vulnerability has been found and reported by Jeffrey Everling.