Description
Request Type
Bug
Problem Description
A privilege escalation vulnerability has been identified in TheHive. It allows users with read-only or read/write access to escalate their privileges and eventually become administrators.
Conditions
To exploit the vulnerability, an attacker must have access to an account on TheHive with read-only or read/write privileges.
The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect To TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.
Impacted Versions
This vulnerability impacts all versions of TheHive as of this writing, including TheHive 3.0.2 (Cerana 0.2).
Possible Solutions
TheHive Project has confirmed the vulnerability and a hotfix for Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2) will be released very soon.
Credits
The vulnerability has been found and reported by Jeffrey Everling.