Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive #408

Closed
saadkadhi opened this issue Dec 22, 2017 · 3 comments
Closed

THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive #408

saadkadhi opened this issue Dec 22, 2017 · 3 comments
Assignees
@To-om
Labels
bug
Milestone
3.3.1

Comments

@saadkadhi
Copy link
Contributor

Request Type

Bug

Problem Description

A privilege escalation vulnerability has been identified in TheHive. It allows users with read-only or read/write access to escalate their privileges and eventually become administrators.

Conditions

To exploit the vulnerability, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect To TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

Impacted Versions

This vulnerability impacts all versions of TheHive as of this writing, including TheHive 3.0.2 (Cerana 0.2).

Possible Solutions

TheHive Project has confirmed the vulnerability and a hotfix for Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2) will be released very soon.

Credits

The vulnerability has been found and reported by Jeffrey Everling.
@saadkadhi saadkadhi added the bug label Dec 22, 2017
@saadkadhi saadkadhi modified the milestones: 2.13.3, 3.0.3 Dec 22, 2017
To-om added a commit that referenced this issue Dec 22, 2017
@To-om
#408 Fix privilege escalation
53bb970
@To-om To-om closed this as completed Dec 22, 2017
To-om added a commit that referenced this issue Dec 22, 2017
@To-om
#408 Fix privilege escalation
17a06b9
@jeromeleonard jeromeleonard reopened this May 22, 2019
nadouani added a commit that referenced this issue May 22, 2019
@nadouani
#408 Fix a typo on user roles patch API, producing a security issue
9483b9b
@nadouani nadouani modified the milestones: 3.0.3, 3.3.1 May 22, 2019
@jeromeleonard
Copy link
Contributor

jeromeleonard commented May 22, 2019
edited
Loading

this issue has been reopened following the report made by Adam Mariš who was still able to escalate privileges of a user with read-only access using its own API key.

@nadouani
Copy link
Contributor

The issue has been fixed, and its patch is being released

To-om added a commit that referenced this issue May 22, 2019
@To-om
#408 Fix privilege escalation
dec380b
To-om pushed a commit that referenced this issue May 22, 2019
@nadouani @To-om
#408 Fix a typo on user roles patch API, producing a security issue
b0741bf
@neuralhax
Copy link

CVE-2017-18376 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.3.1
Development

No branches or pull requests
5 participants
@nadouani @saadkadhi @jeromeleonard @To-om @neuralhax