CVE-2021-38147

Name of the Vulnerable Software and Affected Versions: Wipro Holmes Orchestrator version 20.4.1 (20.4.1 02 11 2020)

Description: The issue allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to several endpoints, including "processexecution/DownloadExcelFile/Domain Credential Report Excel", "processexecution/DownloadExcelFile/User Report Excel", "processexecution/DownloadExcelFile/Process Report Excel", "processexecution/DownloadExcelFile/Infrastructure Report Excel", or "processexecution/DownloadExcelFile/Resolver Report Excel".

Recommendations: As a temporary workaround, consider disabling access to the processexecution/DownloadExcelFile API endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.