漏洞平台

POC详情： 956097a3e5866d99cc79c7801d0d75ab01213ed9

来源

https://github.com/Aman-Parmar/CVE-2025-54554

关联漏洞

标题： Tera Insights tiCrypt 安全漏洞 (CVE-2025-54554)
描述：Tera Insights tiCrypt是美国Tera Insights公司的一个私有云安全计算平台。 Tera Insights tiCrypt 2025-07-17之前版本存在安全漏洞，该漏洞源于tiaudit允许未经身份验证的REST API请求泄露敏感信息。

描述

CVE-2025-54554 – Unauthenticated Access in tiaudit REST API leading to Sensitive Information Disclosure

介绍

# CVE-2025-54554

# CVE-2025-54554 – Unauthenticated Access in tiaudit REST API leading to Sensitive Information Disclosure

# Discoverer: Amanpreet Parmar | Sr. Security Engineer @Harvard Medical School

# Summary:
CVE-2025-54554 identifies a vulnerability in the tiaudit component of the ticrypt platform, developed by Tera Insights. The issue allows unauthenticated access to REST API endpoints that expose sensitive information about the underlying SQL queries and database structure.

# Description
Prior to July 17, 2025, the tiaudit audit logging service allowed unauthenticated users to access its REST API endpoints. These endpoints disclosed internal SQL query patterns and database schema information without requiring authentication.

Although initially considered expected behavior per the documentation, the vendor has acknowledged this posed an information disclosure risk and agreed that access should be restricted to authenticated users only. A fix has also been implemented and reflected in the documentation referred below.

# Impact
Vulnerability Type: Improper Access Control

Attack Vector: Local (Unauthenticated)

Impact: Information Disclosure

Affected Component: REST API endpoints in tiaudit

Vendor: Tera Insights

Fix Status: Resolved by vendor as of July 25, 2025

Documentation Reference: https://ticrypt.com/docs/ticrypt-backend/audit/rest

# A Note on ticrypt
While this vulnerability was valid, it’s worth stating that the overall security design of ticrypt is outstanding. Its architecture demonstrates deep attention to layered security, least privilege, and cryptographic enforcement of access — especially important for environments governed by standards like NIST 800-171. After reviewing the whitepaper (https://ticrypt.com/whitepaper) and internal components, I was genuinely impressed by protections I hadn’t previously encountered.

文件快照


 [4.0K]  /data/pocs/956097a3e5866d99cc79c7801d0d75ab01213ed9
└── [1.8K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。