CVE-2018-17151

Vulnerability

InterSystems Caché version 2017.2.2.865.0 (and likely 2018.1.2) suffers from insufficient authorization controls, categorized as incorrect access control (CWE-863) [1]. The vulnerability affects the application's authorization mechanism, allowing unintended access to resources or functions that should be restricted. The advisory notes that the issue persists in version 2018.1.2 (released March 14, 2019) [1].

Exploitation

An unauthenticated remote attacker can exploit the insufficient authorization controls by sending crafted requests to the affected system [1]. No user interaction or special privileges are required. The advisory does not detail specific steps, but it implies that the standard HTTP/S access vector is sufficient to reach sensitive functionality without proper authentication.

Impact

Successful exploitation allows an unauthenticated attacker to bypass access controls, potentially leading to unauthorized access to data, modification of data, or other high-impact actions depending on the exposed functionality [1]. The advisory assesses the risk level as high.

Mitigation

According to the reference, the recommended mitigation is to update to the latest version of InterSystems Caché, disable the samples application, and avoid using the Private Pages functionality as an authorization mechanism [1]. No fixed version with a specific release date for this exact CVE is stated in the source material beyond the note that version 2018.1.2 still contains the issue.