CVE-2024-26139
Published: 23 May 2024
Summary
CVE-2024-26139 is a high-severity Improper Access Control (CWE-284) vulnerability in Citeum Opencti. Its CVSS base score is 8.3 (High).
Operationally, ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23427
Vulnerability details
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Due to lack of certain security controls on the profile edit functionality, an authenticated attacker with low privileges can gain administrative privileges on…
more
the web application.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.
The policy defines roles, responsibilities, and management commitment for authorization and monitoring, establishing formal access controls over these security functions.
Deficiencies violating secure design principles are tracked and corrected through planned actions, limiting attacker opportunities from design flaws.
Documented policy with defined scope, roles, responsibilities, and periodic review directly enforces secure design principles and management commitment.
Mandates defining roles/responsibilities, security categorization, and controls (including authorization) while protecting plans from unauthorized modification.
CONOPS describes the organization's intended security and privacy operating model, including access-control concepts, making systemic improper access control less likely to persist undetected.
Architectures explicitly define requirements and mechanisms for access control to protect confidentiality, integrity, and availability.
Directly requires incorporating security and privacy considerations into the definition of mission/business processes, preventing violations of secure design principles at the organizational level.