Skip to main content

CVE-2024-1033: CWE-200 Information Disclosure in openBI

Medium
VulnerabilityCVE-2024-1033cvecve-2024-1033cwe-200
Published: Tue Jan 30 2024 (01/30/2024, 14:00:09 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: openBI

Description

A vulnerability, which was classified as problematic, has been found in openBI up to 1.0.8. Affected by this issue is the function agent of the file /application/index/controller/Datament.php. The manipulation of the argument api leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252308.

AI-Powered Analysis

AILast updated: 07/08/2025, 01:26:08 UTC

Technical Analysis

CVE-2024-1033 is an information disclosure vulnerability identified in openBI versions 1.0.0 through 1.0.8. The vulnerability resides in the 'agent' function within the /application/index/controller/Datament.php file. Specifically, improper handling of the 'api' argument allows an attacker to remotely manipulate input parameters, leading to unauthorized disclosure of sensitive information. This vulnerability is classified under CWE-200, which pertains to exposure of sensitive information to an unauthorized actor. The vulnerability can be exploited remotely without user interaction but requires some level of privileges (PR:L) on the system, as indicated by the CVSS vector. The CVSS score of 4.3 (medium severity) reflects that the attack vector is network-based with low complexity and no user interaction needed, but it requires privileges. The impact is limited to confidentiality, with no effect on integrity or availability. Although no public exploits are currently known in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The lack of available patches or official vendor fixes at the time of publication means that affected organizations must rely on mitigation strategies until a patch is released. The vulnerability could allow attackers to gain access to sensitive data handled by openBI, potentially including business intelligence reports, user data, or configuration details, depending on the deployment context.

Potential Impact

For European organizations using openBI versions up to 1.0.8, this vulnerability poses a risk of unauthorized information disclosure. Given that openBI is a business intelligence tool, the sensitive data exposed could include internal analytics, user credentials, or proprietary business information. Such exposure could lead to competitive disadvantage, regulatory non-compliance (e.g., GDPR violations if personal data is leaked), and reputational damage. The medium severity rating suggests the impact is moderate, but the risk increases if the attacker has some level of access privileges. Organizations in regulated industries such as finance, healthcare, and government sectors in Europe are particularly at risk due to the sensitivity of the data processed. Additionally, since the attack can be launched remotely, any exposed openBI instances accessible over the internet or internal networks are vulnerable. The absence of a patch increases the urgency for interim controls. The impact on confidentiality could also facilitate further attacks if sensitive configuration or credential information is disclosed.

Mitigation Recommendations

1. Restrict access to openBI instances by implementing network-level controls such as firewalls and VPNs to limit exposure to trusted users only. 2. Enforce strict authentication and authorization policies to ensure only privileged users can access the vulnerable 'agent' function or related API endpoints. 3. Monitor and audit access logs for unusual or unauthorized API calls targeting the 'agent' function or the Datament.php controller. 4. Apply web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the 'api' argument. 5. If feasible, disable or restrict the vulnerable functionality temporarily until an official patch is released. 6. Keep openBI installations isolated from public networks or segment them within secure network zones. 7. Regularly update and patch openBI once vendor fixes become available. 8. Conduct internal security assessments and penetration tests focusing on API input validation and information disclosure vectors. 9. Educate administrators and users about the risks of exposing business intelligence tools and the importance of secure configuration.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2024-01-29T14:09:32.744Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683879c8182aa0cae2829681

Added to database: 5/29/2025, 3:14:16 PM

Last enriched: 7/8/2025, 1:26:08 AM

Last updated: 8/18/2025, 7:59:45 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats