Lucene search
Faisalfs10xCAAB3310-0D70-4C8A-8768-956F8DD3326DHistoryFeb 13, 2022 - 12:50 a.m.
Exposure of Sensitive Information to an Unauthorized Actor in librenms/librenms
2022-02-1300:50:39
faisalfs10x
www.huntr.dev
6
0.001 Low
EPSS
Percentile
47.7%
LibreNMS v22.1.0 allows users with the normal role/level to view/access the alert transport details. The alert transport may expose sensitive information to an actor that is not explicitly authorized to have access to that information which are supposedly accessible by the Administrator only.
Proof of Concept
Affected endpoints:
1 GET http://{HOST}/alert-transports
~
Steps to reproduce:
1 Login as normal user.
2 Browse to http://{HOST}/alert-transports
3 We can view/access the alert transport information in details such as Transport Name, host IP, Transport Type, Personal Access Token, API Token etc.
~
PoC image:
Impact
This vulnerability is capable of leading to unauthorized sensitive information disclosure of relevant parties.
Related
cvelist
cvelist
CVE-2022-0588 Missing Authorization in librenms/librenms
2022-02-15 08:05:21
nvd
nvd
CVE-2022-0588
2022-02-15 08:15:07
github
github
Exposure of Sensitive Information to an Unauthorized Actor in librenms
2022-02-16 00:01:52
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in librenms
2022-02-16 00:01:52
CVE-2022-0588
2022-02-15 08:15:07
cnvd
cnvd
librenms Information Disclosure Vulnerability (CNVD-2022-12751)
2022-02-17 00:00:00
prion
prion
Authorization
2022-02-15 08:15:00
cve
cve
CVE-2022-0588
2022-02-15 08:15:07
veracode
veracode
Information Leakage
2022-02-16 08:12:26