CVE-2024-36399 - OpenCVE

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kanboard	Kanboard

Configuration 1 [-]

cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7
https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv

History

Tue, 24 Sep 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kanboard Kanboard kanboard
CPEs		cpe:2.3:a:kanboard:kanboard::::::::
Vendors & Products		Kanboard Kanboard kanboard

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-06T15:15:46.978Z

Updated: 2024-08-02T03:37:05.195Z

Reserved: 2024-05-27T15:59:57.030Z

Link: CVE-2024-36399

Vulnrichment

Updated: 2024-08-02T03:37:05.195Z

NVD

Status : Analyzed

Published: 2024-06-06T16:15:12.573

Modified: 2024-09-24T13:59:59.243

Link: CVE-2024-36399

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36399", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-27T15:59:57.030Z", "datePublished": "2024-06-06T15:15:46.978Z", "dateUpdated": "2024-08-02T03:37:05.195Z"}, "containers": {"cna": {"title": "Kanboard affected by Project Takeover via IDOR in ProjectPermissionController", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv"}, {"name": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "1.2.37", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:15:46.978Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37."}], "source": {"advisory": "GHSA-x8v7-3ghx-65cv", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "kanboard", "product": "kanboard", "cpes": ["cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.36", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T17:56:20.351547Z", "id": "CVE-2024-36399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:57:49.863Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.195Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv"}, {"name": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "name": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.195Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-06T17:56:20.351547Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*"], "vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.36"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:57:44.955Z"}}], "cna": {"title": "Kanboard affected by Project Takeover via IDOR in ProjectPermissionController", "source": {"advisory": "GHSA-x8v7-3ghx-65cv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "1.2.37"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "name": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:15:46.978Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36399", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:37:05.195Z", "dateReserved": "2024-05-27T15:59:57.030Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-06T15:15:46.978Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF8A13B9-1EFA-484F-82D7-DEAF65D20165", "versionEndExcluding": "1.2.37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37."}, {"lang": "es", "value": "Kanboard es un software de gesti\u00f3n de proyectos que se centra en la metodolog\u00eda Kanban. La vulnerabilidad est\u00e1 en la funci\u00f3n addUser() de app/Controller/ProjectPermissionController.php. El permiso de los usuarios para agregar usuarios a un proyecto solo se verifica en el par\u00e1metro de URL project_id. Si el usuario est\u00e1 autorizado a agregar usuarios a este proyecto, la solicitud se procesa. El permiso de los usuarios para el par\u00e1metro POST BODY project_id no se vuelve a verificar durante el procesamiento. Un atacante con el 'Gerente de Proyecto' en un \u00fanico proyecto puede hacerse cargo de cualquier otro proyecto. La vulnerabilidad se solucion\u00f3 en 1.2.37."}], "id": "CVE-2024-36399", "lastModified": "2024-09-24T13:59:59.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-06T16:15:12.573", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}