CVE-2025-3014 (GCVE-0-2025-3014)
Vulnerability from cvelistv5
Published
2025-03-31 03:48
Modified
2025-03-31 13:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Version: 2.1.4 < Patch: 2.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T13:37:39.163781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T13:37:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tracking"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "2.1.4",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hoang Anh Khoa (khoahoang329@gmail.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Quyen Hong Son (sonqh.kma@gmail.com)"
}
],
"datePublic": "2025-03-31T03:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePenetration Testing \u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references."
}
],
"impacts": [
{
"capecId": "CAPEC-27",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-27: Leveraging Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T03:52:24.208Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-28T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2025-03-29T02:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2025-03-30T10:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-3014",
"datePublished": "2025-03-31T03:48:12.504Z",
"dateReserved": "2025-03-31T03:27:15.991Z",
"dateUpdated": "2025-03-31T13:37:51.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3014\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-31T13:37:39.163781Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-31T13:37:43.807Z\"}}], \"cna\": {\"title\": \"Insecure direct object references (IDOR) in NightWolf Penetration Platform\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Hoang Anh Khoa (khoahoang329@gmail.com)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Quyen Hong Son (sonqh.kma@gmail.com)\"}], \"impacts\": [{\"capecId\": \"CAPEC-27\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-27: Leveraging Trust in Client\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"FPT Software\", \"modules\": [\"tracking\"], \"product\": \"NightWolf Penetration Platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.1.4\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2.1.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-03-28T10:00:00.000Z\", \"value\": \"The reporter submits the vulnerability to security_report@fpt.com.\"}, {\"lang\": \"en\", \"time\": \"2025-03-29T02:00:00.000Z\", \"value\": \"The security team verifies the issue and provides a fixing solution.\"}, {\"lang\": \"en\", \"time\": \"2025-03-30T10:00:00.000Z\", \"value\": \"The security team releases the fix, retests the issue, and closes the vulnerability.\"}, {\"lang\": \"en\", \"time\": \"2025-03-31T02:00:00.000Z\", \"value\": \"Assign a CVE to the reporter.\"}], \"datePublic\": \"2025-03-31T03:40:00.000Z\", \"references\": [{\"url\": \"https://bug.report.night-wolf.io/changelogs\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ePenetration Testing \u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"5ac195ad-69e7-48e7-9c1e-bfc958c39761\", \"shortName\": \"FSOFT\", \"dateUpdated\": \"2025-03-31T03:52:24.208Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-3014\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-31T13:37:51.896Z\", \"dateReserved\": \"2025-03-31T03:27:15.991Z\", \"assignerOrgId\": \"5ac195ad-69e7-48e7-9c1e-bfc958c39761\", \"datePublished\": \"2025-03-31T03:48:12.504Z\", \"assignerShortName\": \"FSOFT\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…