During my work with one of my employers, we were running a web application security penetration test with Black Hills Info Sec against a running instance of the Trident Trusted and Secure Communications platform in use on-site.  They discovered a privilege escalation vulnerability in the running version of the software, 1.4.6-RC1.

It was discovered by Black Hills Info Sec that there was a privilege escalation vulnerability in version 1.4.6 RC1.  A regular user without any privileges was able to gain the ‘system administrator’ role which would give them full access to all information stored within the secure communications platform on March 6, 2018.  Black Hills Info Sec called me at the workplace to report this extremely high risk issue.

Within 30 minutes of the call, I had a test instance of the software running locally, and was able to confirm the issue myself.  I then reported the issue to the Trident team over their email for reporting security issues shortly thereafter.

Within 8 hours, a response was received by the development team that it would be patched.  The software then had a patch released into version control on the same evening to resolve the issue.  A new release of the software, 1.4.6 RC2, was released as early as 1AM (Eastern US time) on March 7th, 2018, with a fix for this issue.

No version earlier than 1.4.6 RC1 was deemed vulnerable to this issue.  All versions after 1.4.6 RC2 are patched and not vulnerable to this issue.

The specific code branch with the fix is here: https://github.com/tridentli/pitchfork/commits/pf_168

There are two relevant commits which fixed this issue: First Commit, Second Commit