Closed
Description
Request Type
Question
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | All |
| OS version (client) | All |
| Virtualized Env. | True / False |
| Dedicated RAM | XX GB |
| vCPU | 4 / 8 / 16 / 32 |
| TheHive version / git hash | 4.x, hash of the commit |
| Package Type | RPM, DEB, Docker, Binary, From source |
| Database | Cassandra / BerlkelyDB |
| Index type | Lucene / Elasticsearch |
| Attachments storage | Local, NFS, S3, HDFS |
| Browser type & version | If applicable |
Question
Hi.
Thank you for your amazing job on cortex and thehive. I'm exited by the next relase of cortex4, when i seen work on thehive4.
During my work on Thehive4 (and cortex3), I imagine a way to pass from one organization to another. In my opinion, it's a security issue that impact the confidentiality (an integrity).
Steps are pretty simple:
- Log as orgAdmin
- Create a new user that is already in another organization
- Reset his password (or create an API key)
- Log off yourself and login with this new account
- You have access to the two organizations.
It's due to the fact that TheHive autolink login user through multiple organizations.
A way to mitigate this issue is to separate local passwords* on differents organization. For delagated autentication flow (ad, oauth2, ...), this is not a problem because password can't be reset by TheHive. But local authenticate flows have priority by default.