CVE-2025-2271
Published: 13 March 2025
Summary
CVE-2025-2271 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Issuetrak (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper access enforcement allowing IDOR exploitation in the audit component by requiring approved authorizations for logical access to audit data.
Implements a tamperproof reference monitor to enforce access control policies on direct object references, preventing low-privileged users from accessing other users' audit results.
Protects audit information from unauthorized access, modification, and deletion, mitigating the exposure of sensitive audit data belonging to other users via IDOR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability in the audit component directly enables unauthorized access to other users' audit data (including system details, processes, and configurations) stored in the application's information repository.
NVD Description
A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to…
more
sensitive information, including user details, network and hardware information, installed programs, running processes, drives, and printers. Due to improper access controls, an attacker can retrieve audit data belonging to other users, potentially leading to unauthorized data exposure, privacy violations, and security risks.
Deeper analysisAI
CVE-2025-2271 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the audit component in Issuetrak versions 17.2.2 and prior. It stems from improper access controls that enable a low-privileged user to access audit results belonging to other users. This exposure includes sensitive information such as user details, network and hardware data, installed programs, running processes, drives, and printers. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.
A low-privileged authenticated user can exploit this vulnerability remotely without user interaction by manipulating object references in the audit component. Successful exploitation allows the attacker to retrieve audit data from other users' activities, leading to unauthorized data exposure, privacy violations, and potential security risks through the disclosure of system configuration details.
Mitigation details are available in the Issuetrak release notes at https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes.
Details
- CWE(s)