cvelistv5 - CVE-2024-27168

CVE-2024-27168 (GCVE-0-2024-27168)

Vulnerability from cvelistv5 – Published: 2024-06-14 03:53 – Updated: 2025-02-13 17:46

Summary

It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-798 - Use of Hard-coded Credentials

Assigner

Toshiba

References

URL

Tags

	https://www.toshibatec.com/information/20240531_01.html
	https://www.toshibatec.com/information/pdf/inform…
	https://jvn.jp/en/vu/JVNVU97136265/index.html
	http://seclists.org/fulldisclosure/2024/Jul/1

Impacted products

	Vendor	Product	Version
	Toshiba Tec Corporation	Toshiba Tec e-Studio multi-function peripheral (MFP)	Affected: see the reference URL

Credits

We expresses its gratitude to Pierre Barre for reporting relevant security vulnerabilities for our products.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27168",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-14T18:49:02.609253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-14T18:49:09.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:27:59.645Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.toshibatec.com/information/20240531_01.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Toshiba Tec e-Studio multi-function peripheral (MFP)",
          "vendor": "Toshiba Tec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "see the reference URL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "We expresses its gratitude to Pierre Barre for reporting relevant security vulnerabilities for our products."
        }
      ],
      "datePublic": "2024-06-14T02:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL."
            }
          ],
          "value": "It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We are not aware of any malicious exploitation by these vulnerabilities.\u003cbr\u003e"
            }
          ],
          "value": "We are not aware of any malicious exploitation by these vulnerabilities."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-04T05:07:13.094Z",
        "orgId": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
        "shortName": "Toshiba"
      },
      "references": [
        {
          "url": "https://www.toshibatec.com/information/20240531_01.html"
        },
        {
          "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
        },
        {
          "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue is fixed in the version released on June 14, 2024 and all later versions.\u003cbr\u003e"
            }
          ],
          "value": "This issue is fixed in the version released on June 14, 2024 and all later versions."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-06-14T02:00:00.000Z",
          "value": "Fixes will be released"
        }
      ],
      "title": "Hardcoded keys used to generate authentication cookies",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
    "assignerShortName": "Toshiba",
    "cveId": "CVE-2024-27168",
    "datePublished": "2024-06-14T03:53:58.804Z",
    "dateReserved": "2024-02-21T02:11:59.653Z",
    "dateUpdated": "2025-02-13T17:46:10.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.\"}, {\"lang\": \"es\", \"value\": \"Parece que algunas claves codificadas se utilizan para la autenticaci\\u00f3n en la API interna. Conocer estas claves privadas puede permitir a los atacantes eludir la autenticaci\\u00f3n y llegar a las interfaces administrativas. En cuanto a los productos/modelos/versiones afectados, consulte la URL de referencia.\"}]",
      "id": "CVE-2024-27168",
      "lastModified": "2024-11-21T09:04:00.433",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 4.0}]}",
      "published": "2024-06-14T04:15:34.900",
      "references": "[{\"url\": \"http://seclists.org/fulldisclosure/2024/Jul/1\", \"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"}, {\"url\": \"https://jvn.jp/en/vu/JVNVU97136265/index.html\", \"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"}, {\"url\": \"https://www.toshibatec.com/information/20240531_01.html\", \"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"}, {\"url\": \"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\", \"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"}, {\"url\": \"http://seclists.org/fulldisclosure/2024/Jul/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://jvn.jp/en/vu/JVNVU97136265/index.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.toshibatec.com/information/20240531_01.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27168\",\"sourceIdentifier\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\",\"published\":\"2024-06-14T04:15:34.900\",\"lastModified\":\"2024-11-21T09:04:00.433\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.\"},{\"lang\":\"es\",\"value\":\"Parece que algunas claves codificadas se utilizan para la autenticaci\u00f3n en la API interna. Conocer estas claves privadas puede permitir a los atacantes eludir la autenticaci\u00f3n y llegar a las interfaces administrativas. En cuanto a los productos/modelos/versiones afectados, consulte la URL de referencia.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2024/Jul/1\",\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"},{\"url\":\"https://jvn.jp/en/vu/JVNVU97136265/index.html\",\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"},{\"url\":\"https://www.toshibatec.com/information/20240531_01.html\",\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"},{\"url\":\"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\",\"source\":\"ecc0f906-8666-484c-bcf8-c3b7520a72f0\"},{\"url\":\"http://seclists.org/fulldisclosure/2024/Jul/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://jvn.jp/en/vu/JVNVU97136265/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.toshibatec.com/information/20240531_01.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.toshibatec.com/information/20240531_01.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://jvn.jp/en/vu/JVNVU97136265/index.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2024/Jul/1\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:27:59.645Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27168\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-14T18:49:02.609253Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-14T18:49:06.784Z\"}}], \"cna\": {\"title\": \"Hardcoded keys used to generate authentication cookies\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"We expresses its gratitude to Pierre Barre for reporting relevant security vulnerabilities for our products.\"}], \"impacts\": [{\"capecId\": \"CAPEC-37\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-37 Retrieve Embedded Sensitive Data\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Toshiba Tec Corporation\", \"product\": \"Toshiba Tec e-Studio multi-function peripheral (MFP)\", \"versions\": [{\"status\": \"affected\", \"version\": \"see the reference URL\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"We are not aware of any malicious exploitation by these vulnerabilities.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"We are not aware of any malicious exploitation by these vulnerabilities.\u003cbr\u003e\", \"base64\": false}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-06-14T02:00:00.000Z\", \"value\": \"Fixes will be released\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"This issue is fixed in the version released on June 14, 2024 and all later versions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"This issue is fixed in the version released on June 14, 2024 and all later versions.\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-06-14T02:00:00.000Z\", \"references\": [{\"url\": \"https://www.toshibatec.com/information/20240531_01.html\"}, {\"url\": \"https://www.toshibatec.com/information/pdf/information20240531_01.pdf\"}, {\"url\": \"https://jvn.jp/en/vu/JVNVU97136265/index.html\"}, {\"url\": \"http://seclists.org/fulldisclosure/2024/Jul/1\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\", \"shortName\": \"Toshiba\", \"dateUpdated\": \"2024-07-04T05:07:13.094Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27168\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:46:10.504Z\", \"dateReserved\": \"2024-02-21T02:11:59.653Z\", \"assignerOrgId\": \"ecc0f906-8666-484c-bcf8-c3b7520a72f0\", \"datePublished\": \"2024-06-14T03:53:58.804Z\", \"assignerShortName\": \"Toshiba\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-27168

Vulnerability from gsd - Updated: 2024-02-21 06:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-27168

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-27168"
      ],
      "id": "GSD-2024-27168",
      "modified": "2024-02-21T06:02:38.576455Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-27168",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

JVNDB-2024-003539

Vulnerability from jvndb - Published: 2024-06-17 15:21 - Updated:2024-06-17 15:21

Summary

Multiple vulnerabilities in Toshiba Tec and Oki Electric Industry MFPs

Details

MFPs (multifunction printers) provided by Toshiba Tec Corporation and Oki Electric Industry Co., Ltd. contain multiple vulnerabilities listed below.

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776) - CVE-2024-27141, CVE-2024-27142
Execution with Unnecessary Privileges (CWE-250) - CVE-2024-27143, CVE-2024-27146, CVE-2024-27147, CVE-2024-3498
Incorrect Default Permissions (CWE-276) - CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171
Path Traversal (CWE-22) - CVE-2024-27144, CVE-2024-27145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-2024-27177, CVE-2024-27178
Insertion of Sensitive Information into Log File (CWE-532) - CVE-2024-27154, CVE-2024-27156, CVE-2024-27157
Plaintext Storage of a Password (CWE-256) - CVE-2024-27166
Debug Messages Revealing Unnecessary Information (CWE-1295) - CVE-2024-27179
Use of Default Credentials (CWE-1392) - CVE-2024-27158
Use of Hard-coded Credentials (CWE-798) - CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170
Use of Hard-coded Password (CWE-259) - CVE-2024-27164
Cross-site Scripting (CWE-79) - CVE-2024-27162
Cleartext Transmission of Sensitive Information (CWE-319) - CVE-2024-27163
Least Privilege Violation (CWE-272) - CVE-2024-27165
Missing Authentication for Critical Function (CWE-306) - CVE-2024-27169
OS Command Injection (CWE-78) - CVE-2024-27172
External Control of File Name or Path (CWE-73) - CVE-2024-27175
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) - CVE-2024-27180
Authentication Bypass Using an Alternate Path or Channel (CWE-288) - CVE-2024-3496
Relative Path Traversal (CWE-23) - CVE-2024-3497

Toshiba Tec Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

References

Type

URL

	JVN	https://jvn.jp/en/vu/JVNVU97136265/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27141
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27142
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27143
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27146
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27147
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-3498
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27148
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27149
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27150
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27151
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27152
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27153
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27155
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27167
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27171
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27144
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27145
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27173
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27174
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27176
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27177
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27178
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27154
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27156
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27157
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27166
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27179
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27158
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27159
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27160
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27161
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27168
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27170
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27164
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27162
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27163
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27165
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27169
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27172
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27175
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-27180
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-3496
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-3497
	Debug Messages Revealing Unnecessary Information(CWE-1295)	https://cwe.mitre.org/data/definitions/1295
	Use of Default Credentials(CWE-1392)	https://cwe.mitre.org/data/definitions/1392.html
	Path Traversal(CWE-22)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Relative Path Traversal(CWE-23)	https://cwe.mitre.org/data/definitions/23.html
	Execution with Unnecessary Privileges(CWE-250)	https://cwe.mitre.org/data/definitions/250.html
	Unprotected Storage of Credentials(CWE-256)	https://cwe.mitre.org/data/definitions/256.html
	Use of Hard-coded Password(CWE-259)	https://cwe.mitre.org/data/definitions/259.html
	Least Privilege Violation(CWE-272)	https://cwe.mitre.org/data/definitions/272.html
	Incorrect Default Permissions(CWE-276)	https://cwe.mitre.org/data/definitions/276.html
	Authentication Bypass Using an Alternate Path or Channel(CWE-288)	https://cwe.mitre.org/data/definitions/288.html
	Missing Authentication for Critical Function(CWE-306)	https://cwe.mitre.org/data/definitions/306.html
	Cleartext Transmission of Sensitive Information(CWE-319)	https://cwe.mitre.org/data/definitions/319.html
	Time-of-check Time-of-use (TOCTOU) Race Condition(CWE-367)	https://cwe.mitre.org/data/definitions/367.html
	Information Exposure Through Log Files(CWE-532)	https://cwe.mitre.org/data/definitions/532.html
	External Control of File Name or Path(CWE-73)	https://cwe.mitre.org/data/definitions/73.html
	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')(CWE-776)	http://cwe.mitre.org/data/definitions/776.html
	OS Command Injection(CWE-78)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Use of Hard-coded Credentials(CWE-798)	https://cwe.mitre.org/data/definitions/798.html

Impacted products

Vendor

Product

	Oki Electric Industry Co., Ltd.	(Multiple Products)
	TOSHIBA TEC	(Multiple Products)

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003539.html",
  "dc:date": "2024-06-17T15:21+09:00",
  "dcterms:issued": "2024-06-17T15:21+09:00",
  "dcterms:modified": "2024-06-17T15:21+09:00",
  "description": "MFPs (multifunction printers) provided by Toshiba Tec Corporation and Oki Electric Industry Co., Ltd. contain multiple vulnerabilities listed below.\r\n\u003cul\u003e\r\n\t\u003cli\u003e\u003cb\u003eImproper Restriction of Recursive Entity References in DTDs (\u0026#39;XML Entity Expansion\u0026#39;) (\u003ca href=\"https://cwe.mitre.org/data/definitions/776\"\u003eCWE-776\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27141, CVE-2024-27142\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eExecution with Unnecessary Privileges (\u003ca href=\"https://cwe.mitre.org/data/definitions/250\"\u003eCWE-250\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27143, CVE-2024-27146, CVE-2024-27147, CVE-2024-3498\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eIncorrect Default Permissions (\u003ca href=\"https://cwe.mitre.org/data/definitions/276\"\u003eCWE-276\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003ePath Traversal (\u003ca href=\"https://cwe.mitre.org/data/definitions/22\"\u003eCWE-22\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27144, CVE-2024-27145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-2024-27177, CVE-2024-27178\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eInsertion of Sensitive Information into Log File (\u003ca href=\"https://cwe.mitre.org/data/definitions/532\"\u003eCWE-532\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27154, CVE-2024-27156, CVE-2024-27157\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003ePlaintext Storage of a Password (\u003ca href=\"https://cwe.mitre.org/data/definitions/256\"\u003eCWE-256\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27166\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eDebug Messages Revealing Unnecessary Information (\u003ca href=\"https://cwe.mitre.org/data/definitions/1295\"\u003eCWE-1295\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27179\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eUse of Default Credentials (\u003ca href=\"https://cwe.mitre.org/data/definitions/1392\"\u003eCWE-1392\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27158\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eUse of Hard-coded Credentials (\u003ca href=\"https://cwe.mitre.org/data/definitions/798\"\u003eCWE-798\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eUse of Hard-coded Password (\u003ca href=\"https://cwe.mitre.org/data/definitions/259\"\u003eCWE-259\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27164\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eCross-site Scripting (\u003ca href=\"http://cwe.mitre.org/data/definitions/79\"\u003eCWE-79\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27162\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eCleartext Transmission of Sensitive Information (\u003ca href=\"https://cwe.mitre.org/data/definitions/319\"\u003eCWE-319\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27163\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eLeast Privilege Violation (\u003ca href=\"https://cwe.mitre.org/data/definitions/272\"\u003eCWE-272\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27165\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eMissing Authentication for Critical Function (\u003ca href=\"https://cwe.mitre.org/data/definitions/306\"\u003eCWE-306\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27169\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eOS Command Injection (\u003ca href=\"https://cwe.mitre.org/data/definitions/78\"\u003eCWE-78\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27172\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eExternal Control of File Name or Path (\u003ca href=\"https://cwe.mitre.org/data/definitions/73\"\u003eCWE-73\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27175\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eTime-of-check Time-of-use (TOCTOU) Race Condition (\u003ca href=\"https://cwe.mitre.org/data/definitions/367\"\u003eCWE-367\u003c/a\u003e) \u003c/b\u003e- CVE-2024-27180\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eAuthentication Bypass Using an Alternate Path or Channel (\u003ca href=\"https://cwe.mitre.org/data/definitions/288\"\u003eCWE-288\u003c/a\u003e\u003c/b\u003e) - CVE-2024-3496\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eRelative Path Traversal (\u003ca href=\"https://cwe.mitre.org/data/definitions/23\"\u003eCWE-23\u003c/a\u003e) \u003c/b\u003e- CVE-2024-3497\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\nToshiba Tec Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003539.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:misc:oki_electric_industry_multiple_product",
      "@product": "(Multiple Products)",
      "@vendor": "Oki Electric Industry Co., Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:toshibatec:multiple_product",
      "@product": "(Multiple Products)",
      "@vendor": "TOSHIBA TEC",
      "@version": "2.2"
    }
  ],
  "sec:identifier": "JVNDB-2024-003539",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU97136265/index.html",
      "@id": "JVNVU#97136265",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27141",
      "@id": "CVE-2024-27141",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27142",
      "@id": "CVE-2024-27142",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27143",
      "@id": "CVE-2024-27143",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27146",
      "@id": "CVE-2024-27146",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27147",
      "@id": "CVE-2024-27147",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-3498",
      "@id": "CVE-2024-3498",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27148",
      "@id": "CVE-2024-27148",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27149",
      "@id": "CVE-2024-27149",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27150",
      "@id": "CVE-2024-27150",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27151",
      "@id": "CVE-2024-27151",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27152",
      "@id": "CVE-2024-27152",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27153",
      "@id": "CVE-2024-27153",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27155",
      "@id": "CVE-2024-27155",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27167",
      "@id": "CVE-2024-27167",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27171",
      "@id": "CVE-2024-27171",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27144",
      "@id": "CVE-2024-27144",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27145",
      "@id": "CVE-2024-27145",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27173",
      "@id": "CVE-2024-27173",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27174",
      "@id": "CVE-2024-27174",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27176",
      "@id": "CVE-2024-27176",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27177",
      "@id": "CVE-2024-27177",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27178",
      "@id": "CVE-2024-27178",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27154",
      "@id": "CVE-2024-27154",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27156",
      "@id": "CVE-2024-27156",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27157",
      "@id": "CVE-2024-27157",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27166",
      "@id": "CVE-2024-27166",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27179",
      "@id": "CVE-2024-27179",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27158",
      "@id": "CVE-2024-27158",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27159",
      "@id": "CVE-2024-27159",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27160",
      "@id": "CVE-2024-27160",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27161",
      "@id": "CVE-2024-27161",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27168",
      "@id": "CVE-2024-27168",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27170",
      "@id": "CVE-2024-27170",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27164",
      "@id": "CVE-2024-27164",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27162",
      "@id": "CVE-2024-27162",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27163",
      "@id": "CVE-2024-27163",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27165",
      "@id": "CVE-2024-27165",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27169",
      "@id": "CVE-2024-27169",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27172",
      "@id": "CVE-2024-27172",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27175",
      "@id": "CVE-2024-27175",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27180",
      "@id": "CVE-2024-27180",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-3496",
      "@id": "CVE-2024-3496",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-3497",
      "@id": "CVE-2024-3497",
      "@source": "CVE"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/1295",
      "@id": "CWE-1295",
      "@title": "Debug Messages Revealing Unnecessary Information(CWE-1295)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/1392.html",
      "@id": "CWE-1392",
      "@title": "Use of Default Credentials(CWE-1392)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-22",
      "@title": "Path Traversal(CWE-22)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/23.html",
      "@id": "CWE-23",
      "@title": "Relative Path Traversal(CWE-23)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/250.html",
      "@id": "CWE-250",
      "@title": "Execution with Unnecessary Privileges(CWE-250)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/256.html",
      "@id": "CWE-256",
      "@title": "Unprotected Storage of Credentials(CWE-256)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/259.html",
      "@id": "CWE-259",
      "@title": "Use of Hard-coded Password(CWE-259)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/272.html",
      "@id": "CWE-272",
      "@title": "Least Privilege Violation(CWE-272)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/276.html",
      "@id": "CWE-276",
      "@title": "Incorrect Default Permissions(CWE-276)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/288.html",
      "@id": "CWE-288",
      "@title": "Authentication Bypass Using an Alternate Path or Channel(CWE-288)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/306.html",
      "@id": "CWE-306",
      "@title": "Missing Authentication for Critical Function(CWE-306)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/319.html",
      "@id": "CWE-319",
      "@title": "Cleartext Transmission of Sensitive Information(CWE-319)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/367.html",
      "@id": "CWE-367",
      "@title": "Time-of-check Time-of-use (TOCTOU) Race Condition(CWE-367)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/532.html",
      "@id": "CWE-532",
      "@title": "Information Exposure Through Log Files(CWE-532)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/73.html",
      "@id": "CWE-73",
      "@title": "External Control of File Name or Path(CWE-73)"
    },
    {
      "#text": "http://cwe.mitre.org/data/definitions/776.html",
      "@id": "CWE-776",
      "@title": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)(CWE-776)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/798.html",
      "@id": "CWE-798",
      "@title": "Use of Hard-coded Credentials(CWE-798)"
    }
  ],
  "title": "Multiple vulnerabilities in Toshiba Tec and Oki Electric Industry MFPs"
}

GHSA-PC9H-2FG4-M4V8

Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-07-04 06:35

Details

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-27168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T04:15:34Z",
    "severity": "HIGH"
  },
  "details": "It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL.",
  "id": "GHSA-pc9h-2fg4-m4v8",
  "modified": "2024-07-04T06:35:04Z",
  "published": "2024-06-14T06:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27168"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20240531_01.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-27168

Vulnerability from fkie_nvd - Published: 2024-06-14 04:15 - Updated: 2024-11-21 09:04

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	ecc0f906-8666-484c-bcf8-c3b7520a72f0	http://seclists.org/fulldisclosure/2024/Jul/1
	ecc0f906-8666-484c-bcf8-c3b7520a72f0	https://jvn.jp/en/vu/JVNVU97136265/index.html
	ecc0f906-8666-484c-bcf8-c3b7520a72f0	https://www.toshibatec.com/information/20240531_01.html
	ecc0f906-8666-484c-bcf8-c3b7520a72f0	https://www.toshibatec.com/information/pdf/information20240531_01.pdf
	af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2024/Jul/1
	af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/vu/JVNVU97136265/index.html
	af854a3a-2127-422b-91ae-364da2661108	https://www.toshibatec.com/information/20240531_01.html
	af854a3a-2127-422b-91ae-364da2661108	https://www.toshibatec.com/information/pdf/information20240531_01.pdf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL."
    },
    {
      "lang": "es",
      "value": "Parece que algunas claves codificadas se utilizan para la autenticaci\u00f3n en la API interna. Conocer estas claves privadas puede permitir a los atacantes eludir la autenticaci\u00f3n y llegar a las interfaces administrativas. En cuanto a los productos/modelos/versiones afectados, consulte la URL de referencia."
    }
  ],
  "id": "CVE-2024-27168",
  "lastModified": "2024-11-21T09:04:00.433",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 4.0,
        "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-14T04:15:34.900",
  "references": [
    {
      "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
    },
    {
      "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
    },
    {
      "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "url": "https://www.toshibatec.com/information/20240531_01.html"
    },
    {
      "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.toshibatec.com/information/20240531_01.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
    }
  ],
  "sourceIdentifier": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-27168 (GCVE-0-2024-27168)

GSD-2024-27168

JVNDB-2024-003539

GHSA-PC9H-2FG4-M4V8

FKIE_CVE-2024-27168

Tags

Sightings

Nomenclature