Vulnerability Description
An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Strangebee | Thehive | < 2.13.4 |
Related Weaknesses (CWE)
References
- https://gist.github.com/RaJiska/c1b4521aefd77ed43b06045ca05e2591
- https://github.com/TheHive-Project/TheHive/issues/408PatchThird Party Advisory
- https://github.com/TheHive-Project/TheHive/releases/tag/3.3.1Third Party Advisory
- https://gist.github.com/RaJiska/c1b4521aefd77ed43b06045ca05e2591
- https://github.com/TheHive-Project/TheHive/issues/408PatchThird Party Advisory
- https://github.com/TheHive-Project/TheHive/releases/tag/3.3.1Third Party Advisory
FAQ
What is CVE-2017-18376?
CVE-2017-18376 is a vulnerability with a CVSS score of 8.8 (HIGH). An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privi...
How severe is CVE-2017-18376?
CVE-2017-18376 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-18376?
Check the references section above for vendor advisories and patch information. Affected products include: Strangebee Thehive.