【Critical】Smartbi Business Intelligence BI Software Permission Bypass Vulnerability

Vulnerability description

Smartbi is a business intelligence application that provides data integration, analysis, visualization and other functions to help users understand and use their data to make decisions.

There is a permission bypass problem in the affected version of Smartbi. Unauthorized attackers can call the getPassword interface through RMI to obtain administrator token information. After obtaining administrator privileges, it can enter the background to execute arbitrary commands, thereby causing damage to the target system or tampering and stealing sensitive information.

Vulnerability name	Smartbi Business Intelligence BI Software Permission Bypass Vulnerability
Vulnerability type	Bypassing authorization mechanisms via user-controlled keys
Discovery time	2023/8/1
Vulnerability Breadth	wide
MPS number	MPS-el01-w76v
CVE number	-
CNVD number	-

Sphere of influence

Smartbi business intelligence BI software@[V6, V11)

Repair plan

You can set ALLOW_CALL_GET_PASSWORD_METHOD=false to prohibit calling the interface getPassword

reference link

OSCS | Open source software supply chain security community | Make every open source project more secure

[Vulnerability reminder on July 28, 2023] Solution to cracking user password vulnerability under certain circumstances- FAQ Center -

[Vulnerability reminder on July 28] There are "cracking user passwords under certain circumstances" and "DB2 bypass judgment execution command vulnerabilities under certain circumstances", please install the patch in time

About Murphy Security 

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.

Open source project: GitHub - murphysecurity/murphysec: An open source tool focused on software supply chain security. Murphy Security focuses on software supply chain security, with professional software component analysis (SCA), vulnerability detection, and professional vulnerability database.

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free code security detection tool:  Murphy Security | Provide you with professional software supply chain security management
Free information subscription: https://www.oscs1024.com/cm/?sf=qbyj