search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 609 forks source link

[Bug]A malicious user with read-only privileges can escalate read and edit the cases belonging to his and all other organizations. #2301

Open jtabet010 opened 2 years ago

jtabet010 commented 2 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) , Ubuntu, , , ...
OS version (client) XP, Seven, 10, Ubuntu, ...
Virtualized Env. True
Dedicated RAM 32GB
vCPU 8
TheHive version / git hash 4.1.16, hash of the commit
Package Type Docke
Database Cassandra
Index type Lucene
Attachments storage Local

A malicious user with read-only privileges can escalate read (The response of the edit request reveals all the details of the case) and edit the cases belonging to his and all other organizations. The_Hive_Finding_23_12_2021.xlsx