CVE-2025-48741

A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of the user's permissions, through a specific API endpoint.

CVSS

No CVSS.

References

Link	Resource
https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2025-004.md

Configurations

No configuration.

History

28 May 2025, 14:58

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de control de acceso roto en StrangeBee TheHive 5.2.0 anterior a 5.2.16, 5.3.0 anterior a 5.3.11 y 5.4.0 anterior a 5.4.10 permite a usuarios remotos, autenticados y sin privilegios recuperar alertas, casos, registros, observables o tareas, independientemente de los permisos del usuario, a través de un endpoint de API específico.

23 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-23 20:15

Updated : 2025-05-28 14:58

NVD link : CVE-2025-48741

Mitre link : CVE-2025-48741

CVE.ORG link : CVE-2025-48741

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

{"id": "CVE-2025-48741", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-23T20:15:25.763", "references": [{"url": "https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2025-004.md", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of the user's permissions, through a specific API endpoint."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso roto en StrangeBee TheHive 5.2.0 anterior a 5.2.16, 5.3.0 anterior a 5.3.11 y 5.4.0 anterior a 5.4.10 permite a usuarios remotos, autenticados y sin privilegios recuperar alertas, casos, registros, observables o tareas, independientemente de los permisos del usuario, a trav\u00e9s de un endpoint de API espec\u00edfico."}], "lastModified": "2025-05-28T14:58:52.920", "sourceIdentifier": "cve@mitre.org"}