Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CVE-2024-46989 (GCVE-0-2024-46989)
Vulnerability from cvelistv5 – Published: 2024-09-18 17:29 – Updated: 2024-09-18 18:52
VLAI
Title
Multiple caveats on resources of the same type can result in no permission when permission is expected
Summary
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/authzed/spicedb/security/advis… | x_refsource_CONFIRM |
| https://github.com/authzed/spicedb/commit/d4ef8e1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T18:52:37.867476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T18:52:51.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.35.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be \"no permission\" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T17:29:06.456Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr"
},
{
"name": "https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2"
}
],
"source": {
"advisory": "GHSA-jhg6-6qrx-38mr",
"discovery": "UNKNOWN"
},
"title": "Multiple caveats on resources of the same type can result in no permission when permission is expected"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46989",
"datePublished": "2024-09-18T17:29:06.456Z",
"dateReserved": "2024-09-16T16:10:09.019Z",
"dateUpdated": "2024-09-18T18:52:51.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46999 (GCVE-0-2024-46999)
Vulnerability from cvelistv5 – Published: 2024-09-19 23:11 – Updated: 2024-09-20 15:44
VLAI
Title
User Grant Deactivation not Working in Zitadel
Summary
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zitadel/zitadel/security/advis… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| zitadel | zitadel |
Affected:
>= 2.62.0, < 2.62.1
Affected: >= 2.61.0, < 2.61.1 Affected: >= 2.60.0, < 2.60.2 Affected: >= 2.59.0, < 2.59.3 Affected: >= 2.58.0, < 2.58.5 Affected: >= 2.57.0, < 2.57.5 Affected: >= 2.56.0, < 2.56.6 Affected: >= 2.55.0, < 2.55.8 Affected: < 2.54.10 |
|
| zitadel | zitadel |
Affected:
0 , < 2.54.10
(custom)
Affected: 2.55.0 , < 2.55.8 (custom) Affected: 2.56.0 , < 2.56.6 (custom) Affected: 2.57.0 , < 2.57.5 (custom) Affected: 2.58.0 , < 2.58.5 (custom) Affected: 2.59.0 , < 2.59.3 (custom) Affected: 2.60.0 , < 2.60.2 (custom) Affected: 2.61.0 , < 2.61.1 (custom) Affected: 2.62.0 , < 2.62.1 (custom) cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:42:37.629006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:44:42.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:11:48.256Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5"
}
],
"source": {
"advisory": "GHSA-2w5j-qfvw-2hf5",
"discovery": "UNKNOWN"
},
"title": "User Grant Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46999",
"datePublished": "2024-09-19T23:11:48.256Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:44:42.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47000 (GCVE-0-2024-47000)
Vulnerability from cvelistv5 – Published: 2024-09-19 23:10 – Updated: 2024-09-20 15:42
VLAI
Title
Service Users Deactivation not Working in Zitadel
Summary
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zitadel/zitadel/security/advis… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| zitadel | zitadel |
Affected:
>= 2.62.0, < 2.62.1
Affected: >= 2.61.0, < 2.61.1 Affected: >= 2.60.0, < 2.60.2 Affected: >= 2.59.0, < 2.59.3 Affected: >= 2.58.0, < 2.58.5 Affected: >= 2.57.0, < 2.57.5 Affected: >= 2.56.0, < 2.56.6 Affected: >= 2.55.0, < 2.55.8 Affected: < 2.54.10 |
|
| zitadel | zitadel |
Affected:
0 , < 2.54.10
(custom)
Affected: 2.55.0 , < 2.55.8 (custom) Affected: 2.56.0 , < 2.56.6 (custom) Affected: 2.57.0 , < 2.57.5 (custom) Affected: 2.58.0 , < 2.58.5 (custom) Affected: 2.59.0 , < 2.59.3 (custom) Affected: 2.60.0 , < 2.60.2 (custom) Affected: 2.61.0 , < 2.61.1 (custom) Affected: 2.62.0 , < 2.62.1 (custom) cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:39:20.211544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:42:00.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account\u0027s password."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:10:33.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393"
}
],
"source": {
"advisory": "GHSA-qr2h-7pwm-h393",
"discovery": "UNKNOWN"
},
"title": "Service Users Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47000",
"datePublished": "2024-09-19T23:10:33.882Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:42:00.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47770 (GCVE-0-2024-47770)
Vulnerability from cvelistv5 – Published: 2025-02-03 21:34 – Updated: 2025-02-04 17:25
VLAI
Title
Ability to view Agent list with no privilege access in wazuh-dashboard
Summary
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, that allows an attacker to do privilege escalation. In this case the attacker is able to view agent list on Wazuh dashboard with no privilege access. This issue has been addressed in release version 4.9.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/wazuh/wazuh/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47770",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T17:24:55.439566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T17:25:17.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-648q-8m78-5cwv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wazuh",
"vendor": "wazuh",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, that allows an attacker to do privilege escalation. In this case the attacker is able to view agent list on Wazuh dashboard with no privilege access. This issue has been addressed in release version 4.9.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T21:34:06.742Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-648q-8m78-5cwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-648q-8m78-5cwv"
}
],
"source": {
"advisory": "GHSA-648q-8m78-5cwv",
"discovery": "UNKNOWN"
},
"title": "Ability to view Agent list with no privilege access in wazuh-dashboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47770",
"datePublished": "2025-02-03T21:34:06.742Z",
"dateReserved": "2024-09-30T21:28:53.232Z",
"dateUpdated": "2025-02-04T17:25:17.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48828 (GCVE-0-2024-48828)
Vulnerability from cvelistv5 – Published: 2025-03-17 17:10 – Updated: 2025-03-17 18:55
VLAI
Summary
Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00028997… | vendor-advisory |
| https://www.dell.com/support/kbdoc/en-us/00029363… | vendor-advisory |
| https://www.dell.com/support/kbdoc/en-us/00029501… | vendor-advisory |
| https://www.dell.com/support/kbdoc/en-us/00029409… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | SmartFabric OS10 Software |
Affected:
10.5.4.x
Affected: 10.5.5.x Affected: 10.5.6.x Affected: 10.6.0.x |
Date Public
2025-02-28 06:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T18:55:22.225943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T18:55:31.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SmartFabric OS10 Software",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "10.5.4.x"
},
{
"status": "affected",
"version": "10.5.5.x"
},
{
"status": "affected",
"version": "10.5.6.x"
},
{
"status": "affected",
"version": "10.6.0.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell would like to thank n3k from TIANGONG Team of Legendsec at QI-ANXIN Group for reporting this issue."
}
],
"datePublic": "2025-02-28T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.\u003cbr\u003e"
}
],
"value": "Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T17:10:05.434Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000289970/dsa-2025-070-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000293638/dsa-2025-069-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000295014/dsa-2025-068-security-update-for-dell-networking-os10-vulnerabilities"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000294091/dsa-2025-079-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2024-48828",
"datePublished": "2025-03-17T17:10:05.434Z",
"dateReserved": "2024-10-08T16:13:54.376Z",
"dateUpdated": "2025-03-17T18:55:31.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49035 (GCVE-0-2024-49035)
Vulnerability from cvelistv5 – Published: 2024-11-26 19:40 – Updated: 2025-10-21 22:55 Exclusively Hosted Service
VLAI
Title
Partner.Microsoft.Com Elevation of Privilege Vulnerability
Summary
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
Severity
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Partner Center |
Affected:
N/A
|
Date Public
2024-11-26 08:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49035",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T04:55:46.669283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49035"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:35.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49035"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-25T00:00:00.000Z",
"value": "CVE-2024-49035 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Microsoft Partner Center",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:partner_center:*:*:*:*:*:*:*:*",
"versionStartIncluding": "N/A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-11-26T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:41:27.733Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Partner.Microsoft.Com Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49035"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Partner.Microsoft.Com Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-49035",
"datePublished": "2024-11-26T19:40:45.352Z",
"dateReserved": "2024-10-11T20:57:49.185Z",
"dateUpdated": "2025-10-21T22:55:35.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49558 (GCVE-0-2024-49558)
Vulnerability from cvelistv5 – Published: 2024-11-12 03:22 – Updated: 2024-11-12 15:22
VLAI
Summary
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00024721… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | SmartFabric OS10 Software |
Affected:
10.5.6.x
Affected: 10.5.5.x Affected: 10.5.4.x |
|
| dell | smartfabric_os10 |
Affected:
10.5.6.x
Affected: 10.5.5.x Affected: 10.5.4.x cpe:2.3:o:dell:smartfabric_os10:*:*:*:*:*:*:*:* |
Date Public
2024-11-11 06:30
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dell:smartfabric_os10:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "smartfabric_os10",
"vendor": "dell",
"versions": [
{
"status": "affected",
"version": "10.5.6.x"
},
{
"status": "affected",
"version": "10.5.5.x"
},
{
"status": "affected",
"version": "10.5.4.x"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:21:24.244859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:22:07.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SmartFabric OS10 Software",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "10.5.6.x"
},
{
"status": "affected",
"version": "10.5.5.x"
},
{
"status": "affected",
"version": "10.5.4.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell would like to thank n3k From TIANGONG Team of Legendsec at QI-ANXIN Group for reporting these issues."
}
],
"datePublic": "2024-11-11T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"value": "Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T03:22:02.680Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000247217/dsa-2024-425-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2024-49558",
"datePublished": "2024-11-12T03:22:02.680Z",
"dateReserved": "2024-10-16T05:04:26.795Z",
"dateUpdated": "2024-11-12T15:22:07.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4988 (GCVE-0-2024-4988)
Vulnerability from cvelistv5 – Published: 2024-05-21 10:04 – Updated: 2024-08-21 05:37
VLAI
Title
Improper permission control in com.transsion.videocallenhancer
Summary
The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TECNO | com.transsion.videocallenhancer |
Affected:
1.1.9.973
|
|
| tecno | com.transsion.videocallenhancer |
Affected:
1.1.9.973
cpe:2.3:a:tecno:com.transsion.videocallenhancer:1.1.9.973:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tecno:com.transsion.videocallenhancer:1.1.9.973:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "com.transsion.videocallenhancer",
"vendor": "tecno",
"versions": [
{
"status": "affected",
"version": "1.1.9.973"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:02:46.440075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:46.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.tecno.com/SRC/blogdetail/250?lang=en_US"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.tecno.com/SRC/securityUpdates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "com.transsion.videocallenhancer",
"vendor": "TECNO",
"versions": [
{
"status": "affected",
"version": "1.1.9.973"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage."
}
],
"value": "The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T05:37:55.582Z",
"orgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea",
"shortName": "TECNOMobile"
},
"references": [
{
"url": "https://security.tecno.com/SRC/blogdetail/250?lang=en_US"
},
{
"url": "https://security.tecno.com/SRC/securityUpdates?type=SA"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper permission control in com.transsion.videocallenhancer",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "907edf6c-bf03-423e-ab1a-8da27e1aa1ea",
"assignerShortName": "TECNOMobile",
"cveId": "CVE-2024-4988",
"datePublished": "2024-05-21T10:04:10.672Z",
"dateReserved": "2024-05-16T07:03:34.779Z",
"dateUpdated": "2024-08-21T05:37:55.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5009 (GCVE-0-2024-5009)
Vulnerability from cvelistv5 – Published: 2024-06-25 19:58 – Updated: 2024-08-01 20:55
VLAI
Title
WhatsUp Gold SetAdminPassword Improper Access Control Privilege Escalation Vulnerability
Summary
In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.progress.com/network-monitoring | product |
| https://community.progress.com/s/article/WhatsUp-… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress Software Corporation | WhatsUp Gold |
Affected:
2023.1.0 , < 2023.1.3
(semver)
|
|
| progress | whatsup_gold |
Affected:
2023.1.0 , < 2023.1.3
(semver)
cpe:2.3:a:progress:whatsup_gold:2023.1.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:whatsup_gold:2023.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "whatsup_gold",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.1.3",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5009",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T03:55:42.940668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T12:52:21.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/network-monitoring"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"API Endpoint"
],
"platforms": [
"Windows"
],
"product": "WhatsUp Gold",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.1.3",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In WhatsUp Gold versions released before 2023.1.3,\u0026nbsp;\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003ean Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword \u003ccode\u003eallows local attackers to modify admin\u0027s password.\u003c/code\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003e\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin\u0027s password."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 API Manipulation"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T19:58:48.237Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/network-monitoring"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WhatsUp Gold SetAdminPassword Improper Access Control Privilege Escalation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-5009",
"datePublished": "2024-06-25T19:58:48.237Z",
"dateReserved": "2024-05-16T15:59:50.763Z",
"dateUpdated": "2024-08-01T20:55:10.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51521 (GCVE-0-2024-51521)
Vulnerability from cvelistv5 – Published: 2024-11-05 09:12 – Updated: 2024-11-05 15:06
VLAI
Summary
Input parameter verification vulnerability in the background service module
Impact: Successful exploitation of this vulnerability may affect availability.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T15:05:24.549536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T15:06:11.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input parameter verification vulnerability in the background service module\u003cbr\u003eImpact: Successful exploitation of this vulnerability may affect availability."
}
],
"value": "Input parameter verification vulnerability in the background service module\nImpact: Successful exploitation of this vulnerability may affect availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T09:12:16.946Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2024/11/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2024-51521",
"datePublished": "2024-11-05T09:12:16.946Z",
"dateReserved": "2024-10-29T01:43:54.525Z",
"dateUpdated": "2024-11-05T15:06:11.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-48
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation ID: MIT-49
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.