Nagios Network Analyzer Access Control Vulnerability Allowing Deleted Users to Retain Access

An access control vulnerability exists in Nagios Network Analyzer version 2024R1.0.3. The issue arises because the application does not properly invalidate sessions or revoke API tokens when a user account is deleted by an administrator. As a result, deleted users can still access certain system resources and functionalities. This vulnerability allows unauthorized access to sensitive data and the ability to perform privileged actions, such as modifying user profiles or creating new queries through the application's API.

Impact

Exploitation of this vulnerability could lead to unauthorized access to system resources, allowing deleted users to access sensitive data, modify profiles, and execute privileged actions through the application's API.

Reproduction

To reproduce this vulnerability, delete a user account through the Nagios Network Analyzer admin interface. After deletion, the user's active session will remain, and any associated API tokens will not be revoked. This can be verified by attempting to access restricted functions or data that the user was previously authorized to view.

Remediation

Users can manually invalidate sessions and revoke API tokens for accounts that have been deleted. However, for a more permanent solution, it is recommended to update to Nagios Network Analyzer version 2024R2.0.1, where this vulnerability has been addressed.