Security Advisories

PlexTrac believes in transparency and open communication regarding security matters. This page is a centralized hub where details about newly discovered security flaws, severity ratings, affected product versions, and instructions on mitigating or fixing those vulnerabilities are published.

PlexTrac strongly encourages all users to regularly review this page and promptly apply the recommended mitigations or updates to safeguard their systems against potential security risks.

Release 2.11.0

11/05/2024

This is not an incident notice or a breach notification. Your data remains safe, and the integrity of our platform remains intact.

Through collaboration with third-party researchers and processing responsible disclosure, the following security issues have been patched/remediated:

Server-side Request Forgery (SSRF)

A vulnerability in the PlexTrac application allowed an attacker to interact with internal application components by utilizing a server-side request forgery variable. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis of in-code references.

Insecure Deserialization via Runbooks Imports

A vulnerability was identified in a dependency used in our runbooks module to handle the upload/import of custom runbooks. The package maintainer identified a potential vulnerability in their code and proactively patched it; however, static analysis and software composition analysis tools are not currently reporting or detecting the issue.

Local File Inclusion

An undocumented and unpublished legacy endpoint was identified as having a local file inclusion vulnerability within the PlexTrac platform. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis for in-code references to the endpoint.

N1QL Injection

An N1QL injection vulnerability was discovered within a legacy part of the application (slated for deprecation and removal). Upon initial report, the issue had already been resolved and was pending a scheduled platform release.

Denial of Service

Within a dependency of PlexTrac's frontend, a denial of service vulnerability was identified. This allowed an attacker to craft a payload, resulting in a temporary restart of the web server by oversaturating an active websocket connection.

Upon discovery, the package and its uses were evaluated, resulting in the removal of the vulnerable package and the disabling of the use of the affected websocket endpoint within the platform. No patches were available to resolve the underlying vulnerability.

Insecure YAML Deserialization

An unsafe default within an open-source dependency that handles importing runbooks data into the platform was identified, allowing code execution within the legacy runbooks importer.

After concluding the initial triage, PlexTrac's team resolved the issue within the code to rely upon a safe method for handling parsing runbooks data files.

Arbitrary File Write via PTRAC Import

Within the PTRAC report import functionality of the PlexTrac platform, an arbitrary file write vulnerability was detected in the mechanism intended to facilitate transferring report artifacts between instances of the platform. This vulnerability is only exploitable when combined with an arbitrary directory write primitive.

After triage, the team was able to patch the issue and apply both validation/sanitization mechanisms to PTRAC files.

Arbitrary Directory Write via Runbooks Artifact Upload

Within the runbooks module's attachment upload function, a directory traversal vulnerability was detected. This allowed end users to write non-arbitrary files outside their intended destination on the remote system to create arbitrary directories. These directories could then be used as part of other vulnerabilities to gain code execution.

Post triage, the team was able to patch the issue, apply both validation/sanitization mechanisms to the affected endpoints and prevent the directory traversal and arbitrary directory creation.

All findings noted above were identified and reported by the NAT Cyber Security Centre team, including:

• Arnoldas Radisauskas

• Selim Decamps

• Ianis Bernard

To date, PlexTrac has not identified any exploitation of the items outlined within this advisory across privately hosted systems managed by PlexTrac's operations team. All items in this advisory were resolved within hours of the report, and your data/systems remain safe and secure.

Release 2.9.0

9/10/2024 An information exposure issue was identified within the platform, which would allow users not granted permission VIEW CLIENT ASSETS the ability to see information regarding affected assets within API responses. Permission was enforced in several areas of the application. However, when viewing findings, the affected assets for that finding were inadvertently disclosed in an API response. The issue has been patched to ensure proper asset restriction when viewing reports and findings throughout the platform.