Bhima 1.27.0 - Sensitive Information Disclosure via IDOR
Summary
| Name | Bhima 1.27.0 - Sensitive Information Disclosure via IDOR |
| Code name | |
| Product | Bhima |
| Affected versions | Version 1.27.0 |
| State | Public |
| Release date | 2023-04-10 |
Vulnerability
| Kind | Insecure object reference |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 6.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.
Vulnerability
This vulnerability occurs because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.
Exploitation
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-0967 to refer to this issue from now on.
System Information
-
Version: Bhima 1.27.0
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/IMA-WorldHealth/bhima/
Timeline
2023-02-22
Vulnerability discovered.
2023-02-22
Vendor contacted.
2023-02-22
Vendor replied acknowledging the report.
2023-04-10
Public Disclosure.
