OpenCTI has remote code execution and sensitive secrets exposed through web hook

OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

OpenCTI 代码注入漏洞

OpenCTI是OpenCTI开源的一个开放网络威胁情报平台。 OpenCTI 6.4.11之前版本存在代码注入漏洞，该漏洞源于具有manage customizations权限的用户可滥用web-hooks执行命令并访问服务器端机密。

N/A

N/A