Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenCTI has remote code execution and sensitive secrets exposed through web hook
Vulnerability Description
OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
OpenCTI 代码注入漏洞
Vulnerability Description
OpenCTI是OpenCTI开源的一个开放网络威胁情报平台。 OpenCTI 6.4.11之前版本存在代码注入漏洞,该漏洞源于具有manage customizations权限的用户可滥用web-hooks执行命令并访问服务器端机密。
CVSS Information
N/A
Vulnerability Type
N/A