Ole Herman S. Elgesem

**Name of the Vulnerable Software and Affected Versions** Mender versions prior to 3.6.6 Mender versions 3.7.x prior to 3.7.7 **Description** The issue allows for Server-Side Request Forgery (SSRF), which is a type of attack where an attacker can trick a server into making requests to internal or external resources. **Recommendations** For versions prior to 3.6.6, update to version 3.6.6 or later. For versions 3.7.x prior to 3.7.7, update to version 3.7.7 or later.

**Name of the Vulnerable Software and Affected Versions** Hosted Mender versions prior to 2024.07.11 **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. This allows an attacker to forge requests from the server to other services, potentially leading to unauthorized access or data exposure. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2024.07.11, update to a version 2024.07.11 or later to resolve the SSRF vulnerability. As a temporary workaround, consider restricting access to sensitive services and resources that could be targeted by SSRF attacks until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Mender versions 3.3.x through 3.3.1 Mender versions 3.4.x through 3.3.9 is not needed, since 3.4.0 is the fixed version, so we can say Mender versions 3.3.x through 3.3.1 and 3.4.x before 3.4.0 can be simplified to Mender versions 3.3.x through 3.3.1 and 3.4.x before 3.4.0 However, since 3.3.2 is the fixed version for 3.3.x, we can simplify to Mender versions 3.3.x through 3.3.1 Mender versions 3.4.x before 3.4.0 **Description** The issue is related to Incorrect Access Control, allowing low-privileged users default read access to some sensitive device information. **Recommendations** For Mender versions 3.3.x through 3.3.1, update to version 3.3.2 or later. For Mender versions 3.4.x before 3.4.0, update to version 3.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Northern.tech Mender versions 3.3.x through 3.3.1 Northern.tech Mender versions 3.4.x through 3.4.0 Northern.tech Mender versions 3.5.x through 3.5.0 Northern.tech Mender versions 3.6.x through 3.6.0 **Description** The issue is related to Incorrect Access Control, allowing users to change their roles, which could lead to privilege escalation from a low-privileged read-only user to a high-privileged user. This also allows low-privileged users to have default read access to some sensitive device information. **Recommendations** For Northern.tech Mender versions 3.3.x through 3.3.1, update to version 3.3.2 or later. For Northern.tech Mender versions 3.4.x through 3.4.0, update to version 3.4.0 or later. For Northern.tech Mender versions 3.5.x through 3.5.0, update to version 3.5.0 or later. For Northern.tech Mender versions 3.6.x through 3.6.0, update to version 3.6.0 or later.