Vulnerability Details CVE-2017-18376
An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.5%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://gist.github.com/RaJiska/c1b4521aefd77ed43b06045ca05e2591
- https://github.com/TheHive-Project/TheHive/issues/408
- https://github.com/TheHive-Project/TheHive/releases/tag/3.3.1
- https://gist.github.com/RaJiska/c1b4521aefd77ed43b06045ca05e2591
- https://github.com/TheHive-Project/TheHive/issues/408
- https://github.com/TheHive-Project/TheHive/releases/tag/3.3.1
Products affected by CVE-2017-18376
-
cpe:2.3:a:strangebee:thehive:2.10.0
-
cpe:2.3:a:strangebee:thehive:2.10.1
-
cpe:2.3:a:strangebee:thehive:2.10.2
-
cpe:2.3:a:strangebee:thehive:2.11.0
-
cpe:2.3:a:strangebee:thehive:2.11.1
-
cpe:2.3:a:strangebee:thehive:2.11.2
-
cpe:2.3:a:strangebee:thehive:2.11.3
-
cpe:2.3:a:strangebee:thehive:2.12.0
-
cpe:2.3:a:strangebee:thehive:2.12.1
-
cpe:2.3:a:strangebee:thehive:2.13.0
-
cpe:2.3:a:strangebee:thehive:2.13.1
-
cpe:2.3:a:strangebee:thehive:2.13.2
-
cpe:2.3:a:strangebee:thehive:2.9.1
-
cpe:2.3:a:strangebee:thehive:2.9.2
-
cpe:2.3:a:strangebee:thehive:3.0.0
-
cpe:2.3:a:strangebee:thehive:3.0.1
-
cpe:2.3:a:strangebee:thehive:3.0.10
-
cpe:2.3:a:strangebee:thehive:3.0.2
-
cpe:2.3:a:strangebee:thehive:3.0.3
-
cpe:2.3:a:strangebee:thehive:3.0.4
-
cpe:2.3:a:strangebee:thehive:3.0.5
-
cpe:2.3:a:strangebee:thehive:3.0.6
-
cpe:2.3:a:strangebee:thehive:3.0.7
-
cpe:2.3:a:strangebee:thehive:3.0.8
-
cpe:2.3:a:strangebee:thehive:3.0.9
-
cpe:2.3:a:strangebee:thehive:3.1.0
-
cpe:2.3:a:strangebee:thehive:3.1.1
-
cpe:2.3:a:strangebee:thehive:3.1.2
-
cpe:2.3:a:strangebee:thehive:3.2.0
-
cpe:2.3:a:strangebee:thehive:3.2.1
-
cpe:2.3:a:strangebee:thehive:3.3.0