Search criteria
9 vulnerabilities found for ezd_rp by nask
FKIE_CVE-2024-7266
Vulnerability from fkie_nvd - Published: 2024-08-07 11:15 - Updated: 2025-03-17 09:15
Severity ?
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B43D39E4-75AE-42D6-B206-A70B3CB9B538",
"versionEndExcluding": "15.84",
"versionStartIncluding": "15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C255177-BEAE-4B88-869C-57EBD3466ADD",
"versionEndExcluding": "16.15",
"versionStartIncluding": "16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50DE01F5-72FE-4ECC-B117-3B4D5E15901C",
"versionEndExcluding": "17.2",
"versionStartIncluding": "17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
},
{
"lang": "es",
"value": "La vulnerabilidad de administraci\u00f3n incorrecta de usuarios en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite que un usuario que haya iniciado sesi\u00f3n enumere a todos los usuarios del sistema, incluidos los de otras organizaciones. Este problema afecta a EZD RP: desde la versi\u00f3n 15 hasta la 15.84, desde la versi\u00f3n 16 hasta la 16.15, desde la versi\u00f3n 17 hasta la 17.2."
}
],
"id": "CVE-2024-7266",
"lastModified": "2025-03-17T09:15:12.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"source": "cvd@cert.pl",
"type": "Secondary"
}
]
},
"published": "2024-08-07T11:15:46.077",
"references": [
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-7267
Vulnerability from fkie_nvd - Published: 2024-08-07 11:15 - Updated: 2025-03-17 09:15
Severity ?
Summary
Exposure of Sensitive Information vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials. This issue affects EZD RP all versions before 19.6
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A879CDA2-CA17-4D24-8335-7994C332BD58",
"versionEndExcluding": "19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information\u00a0vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials.\u00a0This issue affects EZD RP all versions before 19.6"
},
{
"lang": "es",
"value": "Exposici\u00f3n de vulnerabilidad de informaci\u00f3n confidencial en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite al usuario que ha iniciado sesi\u00f3n recuperar informaci\u00f3n sobre la infraestructura y las credenciales de IP. Este problema afecta a todas las versiones de EZD RP anteriores a la 19.6"
}
],
"id": "CVE-2024-7267",
"lastModified": "2025-03-17T09:15:12.470",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"source": "cvd@cert.pl",
"type": "Secondary"
}
]
},
"published": "2024-08-07T11:15:46.200",
"references": [
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-213"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-7265
Vulnerability from fkie_nvd - Published: 2024-08-07 11:15 - Updated: 2025-03-17 09:15
Severity ?
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B43D39E4-75AE-42D6-B206-A70B3CB9B538",
"versionEndExcluding": "15.84",
"versionStartIncluding": "15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C255177-BEAE-4B88-869C-57EBD3466ADD",
"versionEndExcluding": "16.15",
"versionStartIncluding": "16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50DE01F5-72FE-4ECC-B117-3B4D5E15901C",
"versionEndExcluding": "17.2",
"versionStartIncluding": "17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
},
{
"lang": "es",
"value": "La vulnerabilidad de administraci\u00f3n incorrecta de usuarios en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite que un usuario conectado cambie la contrase\u00f1a de cualquier usuario, incluido el usuario root, lo que podr\u00eda provocar una escalada de privilegios. Este problema afecta a EZD RP: desde la versi\u00f3n 15 hasta la 15.84, desde la versi\u00f3n 16 hasta la 16.15, desde la versi\u00f3n 17 hasta la 17.2."
}
],
"id": "CVE-2024-7265",
"lastModified": "2025-03-17T09:15:11.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "cvd@cert.pl",
"type": "Secondary"
}
]
},
"published": "2024-08-07T11:15:45.757",
"references": [
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-7267 (GCVE-0-2024-7267)
Vulnerability from cvelistv5 – Published: 2024-08-07 10:59 – Updated: 2025-03-17 08:35
VLAI?
Title
Internal infrastructure data leak in EZD RP
Summary
Exposure of Sensitive Information vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials. This issue affects EZD RP all versions before 19.6
Severity ?
CWE
- CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
0 , < 19.6
(custom)
|
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:51:36.502477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:08:34.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "19.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information\u0026nbsp;vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP all versions before 19.6\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information\u00a0vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials.\u00a0This issue affects EZD RP all versions before 19.6"
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-213",
"description": "CWE-213 Exposure of Sensitive Information Due to Incompatible Policies",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:35:32.535Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Internal infrastructure data leak in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7267",
"datePublished": "2024-08-07T10:59:17.613Z",
"dateReserved": "2024-07-30T08:43:03.593Z",
"dateUpdated": "2025-03-17T08:35:32.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7266 (GCVE-0-2024-7266)
Vulnerability from cvelistv5 – Published: 2024-08-07 10:58 – Updated: 2025-03-25 14:31
VLAI?
Title
Users listing in EZD RP
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
15 , < 15.84
(custom)
Affected: 16 , < 16.15 (custom) Affected: 17 , < 17.2 (custom) |
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:08:19.371640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T14:31:55.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.\u003c/p\u003e"
}
],
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:35:13.469Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Users listing in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7266",
"datePublished": "2024-08-07T10:58:47.839Z",
"dateReserved": "2024-07-30T08:43:02.704Z",
"dateUpdated": "2025-03-25T14:31:55.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7265 (GCVE-0-2024-7265)
Vulnerability from cvelistv5 – Published: 2024-08-07 10:58 – Updated: 2025-03-17 08:34
VLAI?
Title
Privilege Escalation in EZD RP
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
15 , < 15.84
(custom)
Affected: 16 , < 16.15 (custom) Affected: 17 , < 17.2 (custom) |
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ezd_rp",
"vendor": "nask-pib",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:13:17.569299Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T14:37:20.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.\u003c/p\u003e"
}
],
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:34:48.839Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege Escalation in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7265",
"datePublished": "2024-08-07T10:58:25.223Z",
"dateReserved": "2024-07-30T08:43:01.420Z",
"dateUpdated": "2025-03-17T08:34:48.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7267 (GCVE-0-2024-7267)
Vulnerability from nvd – Published: 2024-08-07 10:59 – Updated: 2025-03-17 08:35
VLAI?
Title
Internal infrastructure data leak in EZD RP
Summary
Exposure of Sensitive Information vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials. This issue affects EZD RP all versions before 19.6
Severity ?
CWE
- CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
0 , < 19.6
(custom)
|
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:51:36.502477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:08:34.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "19.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information\u0026nbsp;vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP all versions before 19.6\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information\u00a0vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to retrieve information about IP infrastructure and credentials.\u00a0This issue affects EZD RP all versions before 19.6"
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-213",
"description": "CWE-213 Exposure of Sensitive Information Due to Incompatible Policies",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:35:32.535Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Internal infrastructure data leak in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7267",
"datePublished": "2024-08-07T10:59:17.613Z",
"dateReserved": "2024-07-30T08:43:03.593Z",
"dateUpdated": "2025-03-17T08:35:32.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7266 (GCVE-0-2024-7266)
Vulnerability from nvd – Published: 2024-08-07 10:58 – Updated: 2025-03-25 14:31
VLAI?
Title
Users listing in EZD RP
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
15 , < 15.84
(custom)
Affected: 16 , < 16.15 (custom) Affected: 17 , < 17.2 (custom) |
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:08:19.371640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T14:31:55.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.\u003c/p\u003e"
}
],
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:35:13.469Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Users listing in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7266",
"datePublished": "2024-08-07T10:58:47.839Z",
"dateReserved": "2024-07-30T08:43:02.704Z",
"dateUpdated": "2025-03-25T14:31:55.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7265 (GCVE-0-2024-7265)
Vulnerability from nvd – Published: 2024-08-07 10:58 – Updated: 2025-03-17 08:34
VLAI?
Title
Privilege Escalation in EZD RP
Summary
Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy | EZD RP |
Affected:
15 , < 15.84
(custom)
Affected: 16 , < 16.15 (custom) Affected: 17 , < 17.2 (custom) |
Credits
Jakub Płatek (NASK-PIB)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ezd_rp",
"vendor": "nask-pib",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T13:13:17.569299Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T14:37:20.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EZD RP",
"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy",
"versions": [
{
"lessThan": "15.84",
"status": "affected",
"version": "15",
"versionType": "custom"
},
{
"lessThan": "16.15",
"status": "affected",
"version": "16",
"versionType": "custom"
},
{
"lessThan": "17.2",
"status": "affected",
"version": "17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub P\u0142atek (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u0026nbsp;\u003cp\u003eThis issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.\u003c/p\u003e"
}
],
"value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T08:34:48.839Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/"
},
{
"tags": [
"product"
],
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege Escalation in EZD RP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-7265",
"datePublished": "2024-08-07T10:58:25.223Z",
"dateReserved": "2024-07-30T08:43:01.420Z",
"dateUpdated": "2025-03-17T08:34:48.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}