You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Leakage of support information due to inadequate access control
Moderate
aHenryJard
published
GHSA-42mm-c8x3-g5q6Dec 24, 2024
Package
OpenCTI
Affected versions
<= 6.2.18
Patched versions
6.3.0
Description
Summary
General users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT).
Details
General users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT). This is due to inadequate access control for support information (http://<opencti_domain>/storage/get/support/UUID/UUID.zip), and that the UUID is available to general users using an attached query (logs query).
PoC
1, Log in as admin, click GENERATE SUPPORT PAKAGE from the Support screen, and download the generated package.
2. Log in as a general user and use the logs query to obtain the path to the package file.
3. Access the path as a general user to download the file. Through that file, I can access sensitive information such as software version information and error details
An attacker with general user privileges can gain unauthorized access to software and OS version information and so on that can only be accessed by admin. This allows them to collect information necessary for their additional attacks, which may lead to further damage.
YusukeJustinNakajima Reporter
Summary
General users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT).
Details
General users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT). This is due to inadequate access control for support information (http://<opencti_domain>/storage/get/support/UUID/UUID.zip), and that the UUID is available to general users using an attached query (logs query).
PoC
1, Log in as admin, click GENERATE SUPPORT PAKAGE from the Support screen, and download the generated package.
2. Log in as a general user and use the logs query to obtain the path to the package file.
3. Access the path as a general user to download the file. Through that file, I can access sensitive information such as software version information and error details
logs_query.txt
information_disclosure_support_file.mp4
Impact
An attacker with general user privileges can gain unauthorized access to software and OS version information and so on that can only be accessed by admin. This allows them to collect information necessary for their additional attacks, which may lead to further damage.