From 9483b9ba7affb5b51c01baa38778db72c1ff16d3 Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Wed, 22 May 2019 14:21:28 +0200 Subject: [PATCH 1/3] #408 Fix a typo on user roles patch API, producing a security issue --- thehive-backend/app/controllers/UserCtrl.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala index 53b3d528a2..29d5354414 100644 --- a/thehive-backend/app/controllers/UserCtrl.scala +++ b/thehive-backend/app/controllers/UserCtrl.scala @@ -52,7 +52,7 @@ class UserCtrl @Inject() ( else if (request.body.contains("key")) { Future.failed(AuthorizationError("You must use dedicated API (renewKey, removeKey) to update key")) } - else if (request.body.contains("role") && !request.authContext.roles.contains(Roles.admin)) { + else if (request.body.contains("roles") && !request.authContext.roles.contains(Roles.admin)) { Future.failed(AuthorizationError("You are not permitted to change user role")) } else if (request.body.contains("status") && !request.authContext.roles.contains(Roles.admin)) { From 19fd34025e5eb5c31f0e479bcbf36eebe3cefbe2 Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Wed, 22 May 2019 14:27:29 +0200 Subject: [PATCH 2/3] Bump version files --- ui/bower.json | 2 +- ui/package.json | 2 +- version.sbt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ui/bower.json b/ui/bower.json index bc7d1b9bb3..adf2062f85 100644 --- a/ui/bower.json +++ b/ui/bower.json @@ -1,6 +1,6 @@ { "name": "thehive", - "version": "3.3.0", + "version": "3.3.1", "license": "AGPL-3.0", "dependencies": { "angular": "1.5.8", diff --git a/ui/package.json b/ui/package.json index ba8f5b8e8e..c28af19c2a 100644 --- a/ui/package.json +++ b/ui/package.json @@ -1,6 +1,6 @@ { "name": "thehive", - "version": "3.3.0", + "version": "3.3.1", "license": "AGPL-3.0", "repository": { "type": "git", diff --git a/version.sbt b/version.sbt index 9e1a15392a..9b1f80021c 100644 --- a/version.sbt +++ b/version.sbt @@ -1 +1 @@ -version in ThisBuild := "3.3.0-1" +version in ThisBuild := "3.3.1-1" From 4bd630003acd211797ed5d70956b64fba8e880b5 Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Wed, 22 May 2019 14:33:17 +0200 Subject: [PATCH 3/3] Update change log file --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc0dce8ae9..99852ab57c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Change Log +## [3.3.1](https://github.com/TheHive-Project/TheHive/tree/3.3.1) (2019-05-22) +[Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.3.0...3.3.1) + +**Fixed bugs:** + +- THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive [\#408](https://github.com/TheHive-Project/TheHive/issues/408) + ## [3.3.0](https://github.com/TheHive-Project/TheHive/tree/3.3.0) (2019-03-19) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.3.0-RC6...3.3.0)