Articles by Ole Herman S. Elgesem

    CVE-2025-49603 - Improper access control of device groups in Mender Server

    CVE-2025-49603 - Improper access control of device groups in Mender Server

    An ethical hacker on our HackerOne private bug bounty program recently discovered and disclosed access control issues with device groups in Mender Server.
    CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client

    CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client

    A customer recently notified us of a security issue in Mender. On some versions, mender-auth generates private key files with non-strict file permissions.
    CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

    CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

    Recently discovered security vulnerabilities in Mender Server have been fixed.
    CVE-2024-46948 - Missing filtering based on RBAC device groups

    CVE-2024-46948 - Missing filtering based on RBAC device groups

    A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
    CVE-2024-37019 - Account takeover using SAML

    CVE-2024-37019 - Account takeover using SAML

    CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
    CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

    CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

    We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.