Vulnerability Details : CVE-2018-1000133
Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2.
Products affected by CVE-2018-1000133
- cpe:2.3:a:secluded:trident:1.4.6:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000133
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000133
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST |
CWE ids for CVE-2018-1000133
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000133
-
https://github.com/tridentli/pitchfork/commit/33549f15707801099e1253dd5e79369bd48eb59b
Fixing issue that Thomas pointed out · tridentli/pitchfork@33549f1 · GitHubPatch;Third Party Advisory
-
https://github.com/tridentli/trident/releases/tag/DEV_1.4.6-RC2
Release 1.4.6-Release Candidate 2 · tridentli/trident · GitHubThird Party Advisory
-
https://thomas-ward.net/security-advisories/trident-trusted-communications-platform-privilege-escalation-issue-advisory/
Third Party Advisory
-
https://github.com/tridentli/pitchfork/commit/9fd07cbe4f93e1367e142016e9a205366680dd54
Fixing issue that Thomas pointed out · tridentli/pitchfork@9fd07cb · GitHubPatch;Third Party Advisory
-
https://github.com/tridentli/pitchfork/issues/168
Resolve Perms isssue for Thomas · Issue #168 · tridentli/pitchfork · GitHubIssue Tracking;Third Party Advisory
Jump to