Redgate Monitor prior to 14.0.50 has a vulnerability that allows non-administrator users to view all the Alerts in the Alert inbox and access details for the subsequent alerts, regardless of the access control explicitly granted to the users.
Redgate Monitor version 14.0.50 fixes this vulnerability.
If you use Redgate Monitor’s role-based access control, then users with read-only, standard, or reporting privileges could exploit the vulnerability to view alerts and related information about the servers and databases they have not been granted access to and cannot see on any other page in Redgate Monitor. This vulnerability cannot be exploited to clear Alerts or perform any other actions in the Alert inbox.
In all cases, only a valid user of Redgate Monitor could perform these actions - anonymous or invalid users were not granted access.
The vulnerability has a CVSS 3.1 score of 4.3 (medium).
Redgate Monitor release 14.0.50 includes a complete fix for the issue described in this notice. We recommend you upgrade to the latest release as soon as possible.
If you cannot update Redgate Monitor, then you may wish to review which users have access to it.
All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.
Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.
