CVE-2021-43828

Name of the Vulnerable Software and Affected Versions: PatrOwl versions prior to 1.77

Description: The issue is related to improper privilege management in PatrowlManager, allowing unlogged-in users to download all finding import files. The files are stored under /media/imports/<owner id>/<tmp file>, where owner id is predictable and tmp file follows a predictable format, such as import <owner id> <time created>. This predictability enables unauthorized access to the files.

Recommendations: Update to version 1.7.7 as soon as possible. As a temporary workaround, consider restricting access to the /media/imports/ directory until the update is applied. Avoid using predictable filenames for import files until the issue is resolved. There are no known workarounds other than updating to the fixed version.