{"id":"CVE-2017-18376","details":"An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala.","modified":"2026-04-10T04:00:03.392030Z","published":"2019-06-02T20:29:00.230Z","references":[{"type":"WEB","url":"https://gist.github.com/RaJiska/c1b4521aefd77ed43b06045ca05e2591"},{"type":"ADVISORY","url":"https://github.com/TheHive-Project/TheHive/releases/tag/3.3.1"},{"type":"FIX","url":"https://github.com/TheHive-Project/TheHive/issues/408"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/thehive-project/thehive","events":[{"introduced":"0b82ae539037893c39e017e6482acef0ec6793e5"},{"fixed":"d8f0290cde1b802cb1f278f2d03899992a67fa6d"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.3.1"}]}}],"versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.0-RC1","3.1.0-RC2","3.1.0-RC3","3.2.0","3.2.0-RC1","3.2.1","3.3.0","3.3.0-RC3","3.3.0-RC5","3.3.0-RC6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18376.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.13.4"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}