3 results (0.007 seconds)

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0

An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism. Un problema en StrangeBee TheHive v.5.0.8, v.4.1.21 y Cortex v.3.1.6 permite a un atacante remoto obtener privilegios a través del mecanismo de autenticación de Directorio Activo. • https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001%3A%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md • CWE-287: Improper Authentication •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API. • https://cortexmetrics.io/docs/api/#set-alertmanager-configuration https://github.com/cortexproject/cortex/releases/tag/v1.13.2 https://github.com/cortexproject/cortex/releases/tag/v1.14.1 https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j • CWE-73: External Control of File Name or Path CWE-184: Incomplete List of Disallowed Inputs CWE-641: Improper Restriction of Names for Files and Other Resources •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of overriding the Role.toString method. Un administrador de la organización puede añadir un superadministrador en THEHIVE PROJECT Cortex, en versiones anteriores a la 2.1.3, debido a la falta de anulación del método Role.toString. • https://github.com/TheHive-Project/Cortex/blob/2.1.3/CHANGELOG.md https://github.com/TheHive-Project/Cortex/commit/1aaf2182a6b722ad539e2717bc11967d1bde723a https://github.com/TheHive-Project/Cortex/issues/158 •