Articles by Ole Herman S. Elgesem
CVE-2025-49603 - Improper access control of device groups in Mender Server
An ethical hacker on our HackerOne private bug bounty program recently discovered and disclosed access control issues with device groups in Mender Server.
CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client
A customer recently notified us of a security issue in Mender. On some versions, mender-auth generates private key files with non-strict file permissions.
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server
Recently discovered security vulnerabilities in Mender Server have been fixed.
CVE-2024-46948 - Missing filtering based on RBAC device groups
A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
CVE-2024-37019 - Account takeover using SAML
CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users
We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.