reNgine Sensitive User Information Disclosure Vulnerability

A vulnerability in reNgine allows an insider attacker with any role, such as Auditor, Penetration Tester, or Sys Admin, to extract sensitive information from other reNgine users. This issue is present in reNgine versions through 2.2.0. After running a scan and obtaining vulnerabilities from a target, the attacker can retrieve details including username, password, email, role, first name, last name, status, and activity information by making a GET request to the '/api/listVulnerability/' endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts, allowing attackers to impersonate other users or escalate privileges, particularly if the extracted credentials are reused or decrypted. Additionally, the exposure of sensitive user information could facilitate targeted attacks, undermine trust in the application, and potentially violate data protection regulations.

Reproduction

To reproduce this vulnerability, log into an account with the Auditor, Penetration Tester, or Sys Admin role. After logging in, run a vulnerability scan that generates results. Once the scan is complete, navigate to the '/api/listVulnerability/' endpoint. The response will contain sensitive information from reNgine users who have previously run a scan. If the user has a role of Auditor, only information from users with higher privileges, such as Sys Admin or Penetration Tester, can be accessed.

Remediation

Users are advised to upgrade to reNgine version 2.2.0 or later.