CVE-2024-53855 - User Authentication Bypass in Centurion ERP Ticket Viewing Permissions

Centurion ERP (Enterprise Resource Planning) is a widely-used open source application, focused on providing organizations with comprehensive IT service management (ITSM) solutions. However, a vulnerability has been found within the software and has been cataloged under CVE-2024-53855. This vulnerability involves a user being able to view ticket information relating to organizations they are not a part of, thus breaching privacy and security measures.

In this post, we will discuss the details of the vulnerability, how it can be exploited, and propose potential solutions to mitigate the risk.

Exploit Details

The CVE-2024-53855 vulnerability occurs when a user with specific permissions is able to view tickets from another organization they are not a part of via the API endpoints. This can happen with the following permissions:

view_ticket_problem - allows users to view problem tickets.

It is important to note that this vulnerability is only present when browsing API endpoints for the respective tickets; the Centurion UI is not affected. Additionally, Project Tasks, which are also considered a "ticket type", are not susceptible to this vulnerability.

Here's an example of how the aforementioned permissions might be assigned to a user

user = get_user_by_id(user_id)
permissions = ["view_ticket_change", "view_ticket_incident", "view_ticket_request", "view_ticket_problem"]

for permission in permissions:
    user.assign_permission(permission)

With these permissions, a user could effectively browse and view ticket details of another organization they are not a part of through API endpoints, thus causing potential privacy and security issues.

Solution and Recommendations

To remediate this security flaw, Centurion has released version 1.3.1, which effectively addresses the vulnerability. Users are advised to upgrade their software to the latest version to ensure their applications remain secure.

If upgrading is not feasible, another option is to remove the ticket view permissions from users who may be affected by this vulnerability. However, it is important to consider the potential impact on business operations before implementing this solution.

Ultimately, the recommended approach is to upgrade to version 1.3.1, as this will ensure that your organization remains protected against this CVE-2024-53855 vulnerability.

For more information about the CVE-2024-53855 vulnerability, you can refer to the following sources

1. Centurion ERP Official Release Notes: Version 1.3.1
2. CVE Details: CVE-2024-53855
3. NIST National Vulnerability Database: CVE-2024-53855

To sum up, it is essential to stay apprised of security vulnerabilities like CVE-2024-53855 and take proactive measures to keep your organization's IT systems secure and compliant. Upgrading to the latest version of Centurion ERP and adjusting user permissions as needed can protect your sensitive information and maintain the integrity of your IT service management solutions.

Timeline

Published on: 11/27/2024 19:15:33 UTC