CVE-2018-1000133

{"id": "CVE-2018-1000133", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2018-03-16T14:29:44.847", "references": [{"url": "https://github.com/tridentli/pitchfork/commit/33549f15707801099e1253dd5e79369bd48eb59b", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tridentli/pitchfork/commit/9fd07cbe4f93e1367e142016e9a205366680dd54", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tridentli/pitchfork/issues/168", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tridentli/trident/releases/tag/DEV_1.4.6-RC2", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://thomas-ward.net/security-advisories/trident-trusted-communications-platform-privilege-escalation-issue-advisory/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the \"System Administrator\" permission to \"yes\" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2."}, {"lang": "es", "value": "Pitchfork, en su versi\u00f3n 1.4.6 RC1, contiene una vulnerabilidad de gesti\u00f3n incorrecta de privilegios en los componentes Trident Pitchfork que puede resultar en que un usuario est\u00e1ndar sin privilegios obtenga permisos de administrador en el portal web. El usuario debe ser capaz de iniciar sesi\u00f3n y podr\u00eda editar su perfil y establecer el permiso \"System Administrator\" en \"yes\" para s\u00ed mismo. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.4.6 RC2."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:secluded:trident:1.4.6:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52F21E24-C1E2-4E41-B00C-FB5441CCD7CF"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}