search

TheHive-Project / Cortex

Cortex: a Powerful Observable Analysis and Active Response Engine
https://thehive-project.org
GNU Affero General Public License v3.0
1.28k stars 218 forks source link

[Bug ] Authentication Bypass Vulnerability #418

Closed us3r closed 2 years ago

us3r commented 2 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) any
OS version (client) any
Cortex version / git hash 3.1.1-1 +
Package Type any
Browser type & version any

Problem Description

It has been observed that Cortex Version: 3.1.1-1 application is vulnerable to Authentication Bypass. An attacker with an account in the application is able to log into the account of any other application user (including the administrator) which in consequence may lead to a compromise of the application and each of its users.

Steps to Reproduce

  1. Prepare a POST request to /api/login with EMPTY password of existing user
  2. send the request
image

Possible Solutions

It is the same issue as on thehive 2391

Complementary information

tested on cortex integrated with AD

To-om commented 2 years ago

Fixed in 3.1.5