We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45805

OpenCTI leaks support information due to inadequate access control



Description

OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT). This is due to inadequate access control for support information (http://<opencti_domain>/storage/get/support/UUID/UUID.zip), and that the UUID is available to general users using an attached query (logs query). This vulnerability is fixed in 6.3.0.

Reserved 2024-09-09 | Published 2024-12-26 | Updated 2024-12-27 | Assigner GitHub_M


MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-285: Improper Authorization

Product status

< 6.3.0
affected

References

github.com/...pencti/security/advisories/GHSA-42mm-c8x3-g5q6

cve.org (CVE-2024-45805)

nvd.nist.gov (CVE-2024-45805)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45805

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.