CVE-2024-38446

Name of the Vulnerable Software and Affected Versions NATO NCI ANET version 3.4.1

Description The issue concerns mishandling of report ownership. A user can create a report and change its author to any arbitrary user without their consent or knowledge. This is achieved by modifying the UUID in a POST request, bypassing the restrictions imposed by the user interface.

Recommendations For NATO NCI ANET version 3.4.1, as a temporary workaround, consider restricting access to the report creation feature until a patch is available. Additionally, monitor report ownership changes closely to detect any potential unauthorized modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.