CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39069
https://notcve.org/view.php?id=CVE-2023-39069
An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism. Un problema en StrangeBee TheHive v.5.0.8, v.4.1.21 y Cortex v.3.1.6 permite a un atacante remoto obtener privilegios a través del mecanismo de autenticación de Directorio Activo. • https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001%3A%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23536 – Alertmanager can expose local files content via specially crafted config
https://notcve.org/view.php?id=CVE-2022-23536
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API. • https://cortexmetrics.io/docs/api/#set-alertmanager-configuration https://github.com/cortexproject/cortex/releases/tag/v1.13.2 https://github.com/cortexproject/cortex/releases/tag/v1.14.1 https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j • CWE-73: External Control of File Name or Path CWE-184: Incomplete List of Disallowed Inputs CWE-641: Improper Restriction of Names for Files and Other Resources •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20226
https://notcve.org/view.php?id=CVE-2018-20226
An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of overriding the Role.toString method. Un administrador de la organización puede añadir un superadministrador en THEHIVE PROJECT Cortex, en versiones anteriores a la 2.1.3, debido a la falta de anulación del método Role.toString. • https://github.com/TheHive-Project/Cortex/blob/2.1.3/CHANGELOG.md https://github.com/TheHive-Project/Cortex/commit/1aaf2182a6b722ad539e2717bc11967d1bde723a https://github.com/TheHive-Project/Cortex/issues/158 •