Search criteria
7 vulnerabilities found for ai-admin-graphql by aimeos
CVE-2024-47173 (GCVE-0-2024-47173)
Vulnerability from cvelistv5 – Published: 2024-10-24 18:54 – Updated: 2024-10-24 20:00
VLAI?
Title
Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups
Summary
Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-270 - Privilege Context Switching Error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2024.04.1, < 2024.07.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T20:00:12.610334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:00:27.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.07.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270: Privilege Context Switching Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:54:12.478Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w"
}
],
"source": {
"advisory": "GHSA-qxgx-hvg3-v92w",
"discovery": "UNKNOWN"
},
"title": "Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47173",
"datePublished": "2024-10-24T18:54:12.478Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-10-24T20:00:27.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39324 (GCVE-0-2024-39324)
Vulnerability from cvelistv5 – Published: 2024-07-02 20:09 – Updated: 2024-08-02 04:19
VLAI?
Title
aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: = 2024.04.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T15:21:05.566787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T15:21:12.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "= 2024.04.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn\u0027t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:09:22.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"source": {
"advisory": "GHSA-jj68-cp4v-98qf",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39324",
"datePublished": "2024-07-02T20:09:22.872Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39323 (GCVE-0-2024-39323)
Vulnerability from cvelistv5 – Published: 2024-07-02 16:03 – Updated: 2024-08-02 04:19
VLAI?
Title
aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: >= 2024.04.1, < 2024.04.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T18:03:14.407678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T18:04:26.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T16:03:03.253Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"source": {
"advisory": "GHSA-vc7j-99jw-jrqm",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39323",
"datePublished": "2024-07-02T16:03:03.253Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47173 (GCVE-0-2024-47173)
Vulnerability from nvd – Published: 2024-10-24 18:54 – Updated: 2024-10-24 20:00
VLAI?
Title
Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups
Summary
Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-270 - Privilege Context Switching Error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2024.04.1, < 2024.07.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T20:00:12.610334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:00:27.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.07.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270: Privilege Context Switching Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:54:12.478Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w"
}
],
"source": {
"advisory": "GHSA-qxgx-hvg3-v92w",
"discovery": "UNKNOWN"
},
"title": "Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47173",
"datePublished": "2024-10-24T18:54:12.478Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-10-24T20:00:27.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39324 (GCVE-0-2024-39324)
Vulnerability from nvd – Published: 2024-07-02 20:09 – Updated: 2024-08-02 04:19
VLAI?
Title
aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: = 2024.04.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T15:21:05.566787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T15:21:12.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "= 2024.04.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn\u0027t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:09:22.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"source": {
"advisory": "GHSA-jj68-cp4v-98qf",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39324",
"datePublished": "2024-07-02T20:09:22.872Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39323 (GCVE-0-2024-39323)
Vulnerability from nvd – Published: 2024-07-02 16:03 – Updated: 2024-08-02 04:19
VLAI?
Title
aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: >= 2024.04.1, < 2024.04.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T18:03:14.407678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T18:04:26.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T16:03:03.253Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"source": {
"advisory": "GHSA-vc7j-99jw-jrqm",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39323",
"datePublished": "2024-07-02T16:03:03.253Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-39324
Vulnerability from fkie_nvd - Published: 2024-07-02 21:15 - Updated: 2024-11-21 09:27
Severity ?
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| aimeos | ai-admin-graphql | * | |
| aimeos | ai-admin-graphql | * | |
| aimeos | ai-admin-graphql | 2024.04.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCCBEC57-5E51-404A-A93E-F04C20753EE8",
"versionEndExcluding": "2022.10.10",
"versionStartIncluding": "2022.04.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "342DA783-3693-4F4A-9338-A419FB2BD435",
"versionEndExcluding": "2023.10.6",
"versionStartIncluding": "2023.04.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:2024.04.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1942C6DA-0B87-45DD-BDEE-1C68C33BCC1A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn\u0027t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"
},
{
"lang": "es",
"value": "aimeos/ai-admin-graphql es la interfaz de administraci\u00f3n de la API Aimeos GraphQL. A partir de la versi\u00f3n 2022.04.1 y antes de las versiones 2022.10.10, 2023.10.6 y 2024.4.2, el control de acceso inadecuado permite a los editores administrar sus propios servicios a trav\u00e9s de la API GraphQL, lo cual no est\u00e1 permitido en la interfaz JQAdm. Las versiones 2022.10.10, 2023.10.6 y 2024.4.2 contienen un parche para el problema."
}
],
"id": "CVE-2024-39324",
"lastModified": "2024-11-21T09:27:27.850",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-02T21:15:11.213",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
},
{
"lang": "en",
"value": "CWE-1220"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}