OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
The vulnerability, classified as CWE-287 (improper authentication), causes the user identity verification mechanism to be bypassed without providing any credentials. An unauthenticated attacker can impersonate any account in the system, including the default administrator account, and send API requests on its behalf to the OpenCTI platform. The exploit does not require victim interaction or special network privileges.
The attacker gains full access to the OpenCTI platform API with the privileges of the chosen user. In the case of an administrator account, this means the ability to read, modify, and delete all threat intelligence data, as well as potential takeover of full platform control.
OpenCTI must be updated to version 6.9.13, in which the vulnerability has been fixed. As a temporary workaround, the default administrator account can be disabled by setting the configuration option `APP__ADMIN__EXTERNALLY_MANAGED` to a value corresponding to disabling this account.
OpenCTI versions 6.6.0 to 6.9.12 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCiteum Opencti
APPCiteum6.9.0 – 6.9.13 (bez)
Related vulnerabilities
OpenCTI: Wykonanie dowolnego kodu JS przez niesanityzowane szablony EJS
OpenCTI: RCE przez nadużycie web-hooków przez uprzywilejowanego użytkownika
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to ...
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to ...
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated at...