Summary & Key Actions Required
Avantra has become aware of a high-severity data disclosure issue affecting customers running Avantra server 24 up to and including 24.0.6 and 24.1.0 where users have the ability to create dashboards with an auto-login user. This issue does not affect Avantra server versions before 24.0 and does not affect Avantra agents.
This issue could allow users with limited privileges to gain administrator permissions through creating a shared dashboard with a more privileged auto-login user, or users with no privileges can gain authenticated access to Avantra's UI with the privileges granted to the user the dashboard has been shared with.
We advise in the product that users created for the purpose of auto-login for dashboards should be limited to read only permissions however it is possible to set a more powerful user in this dialog.
This issue is fixed in Avantra Server versions 24.0.7 and 24.1.1.
Mitigation
We have completed our investigations into this issue and have released patches for customers to immediately implement.
Customers running Avantra 24.0 and above are advised to upgrade to the latest Avantra server version of at least 24.0.7 or 24.1.1. Agents are not affected.
Change Log
| 13th Mar @ 07:52 CET | Avantra was made aware a potential issue via a support incident from a customer. |
| 13th Mar @ 13:36 CET | Support agents successfully reproduced the issue and forwarded to development team. |
| 13th Mar @ 15:22 CET | Development accepts the issue and begins analysis for root cause |
| 13th Mar @ 16:25 CET | The issue is selected for immediate development and release and the security response team is assembled. |
| 21st Mar @ 17:00 CET | Software is released and this notice is published. Customer communications have been sent to all existing registered support customers on affected versions. |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.