CVE-2025-3014 - OpenCVE

Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://bug.report.night-wolf.io/changelogs

History

Mon, 31 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 04:00:00 +0000

Type	Values Removed	Values Added
Description		Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Title		Insecure direct object references (IDOR) in NightWolf Penetration Platform
Weaknesses		CWE-285
References		https://bug.report.night-wolf.io/changelogs
Metrics		cvssV4_0 `{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: FSOFT

Published: 2025-03-31T03:48:12.504Z

Updated: 2025-03-31T13:37:51.896Z

Reserved: 2025-03-31T03:27:15.991Z

Link: CVE-2025-3014

Vulnrichment

Updated: 2025-03-31T13:37:43.807Z

NVD

Status : Awaiting Analysis

Published: 2025-03-31T04:15:33.730

Modified: 2025-04-01T20:26:30.593

Link: CVE-2025-3014

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3014", "assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "state": "PUBLISHED", "assignerShortName": "FSOFT", "dateReserved": "2025-03-31T03:27:15.991Z", "datePublished": "2025-03-31T03:48:12.504Z", "dateUpdated": "2025-03-31T13:37:51.896Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["tracking"], "product": "NightWolf Penetration Platform", "vendor": "FPT Software", "versions": [{"status": "affected", "version": "2.1.4", "versionType": "custom"}, {"status": "unaffected", "version": "2.1.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Hoang Anh Khoa ([email protected])"}, {"lang": "en", "type": "finder", "value": "Quyen Hong Son ([email protected])"}], "datePublic": "2025-03-31T03:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf <span style=\"background-color: rgb(255, 255, 255);\">Penetration Testing </span>allows an attacker to access via manipulating request parameters or object references.<br><br>"}], "value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references."}], "impacts": [{"capecId": "CAPEC-27", "descriptions": [{"lang": "en", "value": "CAPEC-27: Leveraging Trust in Client"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "shortName": "FSOFT", "dateUpdated": "2025-03-31T03:52:24.208Z"}, "references": [{"url": "https://bug.report.night-wolf.io/changelogs"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-03-28T10:00:00.000Z", "value": "The reporter submits the vulnerability to [email protected]."}, {"lang": "en", "time": "2025-03-29T02:00:00.000Z", "value": "The security team verifies the issue and provides a fixing solution."}, {"lang": "en", "time": "2025-03-30T10:00:00.000Z", "value": "The security team releases the fix, retests the issue, and closes the vulnerability."}, {"lang": "en", "time": "2025-03-31T02:00:00.000Z", "value": "Assign a CVE to the reporter."}], "title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T13:37:39.163781Z", "id": "CVE-2025-3014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T13:37:51.896Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T13:37:39.163781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T13:37:43.807Z"}}], "cna": {"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Hoang Anh Khoa ([email protected])"}, {"lang": "en", "type": "finder", "value": "Quyen Hong Son ([email protected])"}], "impacts": [{"capecId": "CAPEC-27", "descriptions": [{"lang": "en", "value": "CAPEC-27: Leveraging Trust in Client"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "FPT Software", "modules": ["tracking"], "product": "NightWolf Penetration Platform", "versions": [{"status": "affected", "version": "2.1.4", "versionType": "custom"}, {"status": "unaffected", "version": "2.1.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-28T10:00:00.000Z", "value": "The reporter submits the vulnerability to [email protected]."}, {"lang": "en", "time": "2025-03-29T02:00:00.000Z", "value": "The security team verifies the issue and provides a fixing solution."}, {"lang": "en", "time": "2025-03-30T10:00:00.000Z", "value": "The security team releases the fix, retests the issue, and closes the vulnerability."}, {"lang": "en", "time": "2025-03-31T02:00:00.000Z", "value": "Assign a CVE to the reporter."}], "datePublic": "2025-03-31T03:40:00.000Z", "references": [{"url": "https://bug.report.night-wolf.io/changelogs"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.", "supportingMedia": [{"type": "text/html", "value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf <span style=\"background-color: rgb(255, 255, 255);\">Penetration Testing </span>allows an attacker to access via manipulating request parameters or object references.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "shortName": "FSOFT", "dateUpdated": "2025-03-31T03:52:24.208Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3014", "state": "PUBLISHED", "dateUpdated": "2025-03-31T13:37:51.896Z", "dateReserved": "2025-03-31T03:27:15.991Z", "assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "datePublished": "2025-03-31T03:48:12.504Z", "assignerShortName": "FSOFT"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references."}, {"lang": "es", "value": "Las referencias directas a objetos inseguras (IDOR) en el control de acceso en Tracking 2.1.4 en las pruebas de penetraci\u00f3n de NightWolf permiten que un atacante acceda mediante la manipulaci\u00f3n de par\u00e1metros de solicitud o referencias de objetos."}], "id": "CVE-2025-3014", "lastModified": "2025-04-01T20:26:30.593", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}, "published": "2025-03-31T04:15:33.730", "references": [{"source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "url": "https://bug.report.night-wolf.io/changelogs"}], "sourceIdentifier": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}