CVE-2021-36388
📋 TL;DR
This vulnerability allows attackers to enumerate and download user profile pictures in Yellowfin BI software through an Insecure Direct Object Reference (IDOR) flaw. Attackers can exploit this by sending specially crafted HTTP GET requests to the MIIAvatarImage.i4 endpoint. All Yellowfin installations before version 9.6.1 are affected.
💻 Affected Systems
- Yellowfin Business Intelligence
📦 What is this software?
Yellowfin by Yellowfinbi
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download all user profile pictures, potentially enabling user enumeration, reconnaissance for targeted attacks, and privacy violations if profile pictures contain sensitive information.
Likely Case
Unauthorized access to user profile pictures, enabling user enumeration and potential privacy violations.
If Mitigated
Limited impact if proper access controls and input validation are implemented, though user enumeration may still be possible.
🎯 Exploit Status
Simple HTTP GET request exploitation with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.6.1
Vendor Advisory: https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6
Restart Required: Yes
Instructions:
1. Download Yellowfin 9.6.1 or later from official vendor sources. 2. Backup current installation and data. 3. Follow vendor upgrade instructions for your deployment type. 4. Restart Yellowfin services after upgrade.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or monitor requests to MIIAvatarImage.i4 endpoint
WAF-specific configuration required
Access Control Restriction
allRestrict access to vulnerable endpoint via network controls
firewall rules or reverse proxy configuration
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the Yellowfin instance
- Monitor logs for suspicious requests to MIIAvatarImage.i4 endpoint
🔍 How to Verify
Check if Vulnerable:
Check Yellowfin version via admin interface or by examining installation files. If version is below 9.6.1, system is vulnerable.Check Version:
Check Yellowfin admin interface or examine version.txt in installation directoryVerify Fix Applied:
Verify Yellowfin version is 9.6.1 or higher and test that MIIAvatarImage.i4 endpoint no longer allows unauthorized access to user profile pictures.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to MIIAvatarImage.i4 with different parameters
- Unusual pattern of requests to user avatar endpoints
Network Indicators:
- HTTP GET requests to /MIIAvatarImage.i4 with sequential or unusual parameters
SIEM Query:
source="yellowfin" AND url="*MIIAvatarImage.i4*" AND (parameter="*user*" OR parameter="*id*")🔗 References
- http://seclists.org/fulldisclosure/2021/Oct/15
- https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities/
- https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md
- https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html
- https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6
- http://seclists.org/fulldisclosure/2021/Oct/15
- https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities/
- https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md
- https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html
- https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6
