New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive #408

Closed
saadkadhi opened this Issue Dec 22, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@saadkadhi
Contributor

saadkadhi commented Dec 22, 2017

Request Type

Bug

Problem Description

A privilege escalation vulnerability has been identified in TheHive. It allows users with read-only or read/write access to escalate their privileges and eventually become administrators.

Conditions

To exploit the vulnerability, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect To TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

Impacted Versions

This vulnerability impacts all versions of TheHive as of this writing, including TheHive 3.0.2 (Cerana 0.2).

Possible Solutions

TheHive Project has confirmed the vulnerability and a hotfix for Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2) will be released very soon.

Credits

The vulnerability has been found and reported by Jeffrey Everling.

@saadkadhi saadkadhi added the bug label Dec 22, 2017

@saadkadhi saadkadhi modified the milestones: 2.13.3, 3.0.3 Dec 22, 2017

To-om added a commit that referenced this issue Dec 22, 2017

@To-om To-om closed this Dec 22, 2017

To-om added a commit that referenced this issue Dec 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment