With this release we resolve critical security vulnerabilities. Please install this update as fast as possible!
On Jun 4th 2023 tuannq2299 reported a security vulnerability to us. The issue is caused by a race condition and could lead to multiple user accounts, with the same email address.
The report was created through the
huntr.dev
platform: https://huntr.dev/bounties/94d50b11-20ca-46e3-9086-dd6836421675/ The issue could only be exploited, by logged in users with access to the user management of openITCOCKPIT.
On Jun 7th 2023 Hieu Dang (GitHub profile, Twitter profile) reported a critical SQL injection in the
sort
parameter of the API interface.The issue could only be exploited, by logged in users.
The following issues will be resolved by updating to openITCOCKPIT 4.6.5
Impact | CVE | Found by | ID | Vulnerability Summary |
---|---|---|---|---|
High | CVE-2023-36663 | hiu240900 | ITC-3017 | SQL injection: The sort endpoints of the API are vulnerable for SQL injections. |
Medium | CVE-2023-3218 | tuannq2299 | ITC-3014 | Race Condition: Create multiple user with the same username |
Both discovered vulnerabilities require a logged in user. We recommend to install the update as fast as possible.
Please see the changelog for a complete list of new features, fixed bugs and improvements.
Please see the official documentation of how to update openITCOCKPIT.
Many thanks to all researchers! We appreciate your hard work to keep openITCOCKPIT secure ❤️
Your openITCOCKPIT Team