CVE-2024-5625 (GCVE-0-2024-5625)

Vulnerability from cvelistv5 – Published: 2024-07-18 17:12 – Updated: 2024-08-01 21:18
VLAI?
Title
XML External Entity Injection in PruvaSoft Informatics' Apinizer Management Console
Summary
Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
Vendor Product Version
PruvaSoft Informatics Apinizer Management Console Affected: 0 , < 2024.05.1 (custom)
Create a notification for this product.
Credits
Akın ŞENGEZER
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5625",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-18T17:23:51.362139Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-18T17:24:00.884Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:18:06.243Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.usom.gov.tr/bildirim/tr-24-1010"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apinizer Management Console",
          "vendor": "PruvaSoft Informatics",
          "versions": [
            {
              "lessThan": "2024.05.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ak\u0131n \u015eENGEZER"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.\u003cp\u003eThis issue affects Apinizer Management Console: before 2024.05.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-221",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-221 Data Serialization External Entities Blowup"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-18T17:12:37.358Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "url": "https://www.usom.gov.tr/bildirim/tr-24-1010"
        }
      ],
      "source": {
        "advisory": "TR-24-1010",
        "defect": [
          "TR-24-1010"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "XML External Entity Injection in PruvaSoft Informatics\u0027 Apinizer Management Console",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2024-5625",
    "datePublished": "2024-07-18T17:12:37.358Z",
    "dateReserved": "2024-06-04T08:50:37.804Z",
    "dateUpdated": "2024-08-01T21:18:06.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-5625",
      "date": "2026-04-26",
      "epss": "0.00096",
      "percentile": "0.26407"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.\"}, {\"lang\": \"es\", \"value\": \"La restricci\\u00f3n inadecuada de la vulnerabilidad de referencia de entidades externas XML en PruvaSoft Informatics Apinizer Management Console permite la explosi\\u00f3n de entidades externas de serializaci\\u00f3n de datos. Este problema afecta a Apinizer Management Console: antes de 2024.05.1.\"}]",
      "id": "CVE-2024-5625",
      "lastModified": "2024-11-21T09:48:02.390",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"iletisim@usom.gov.tr\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2024-07-18T18:15:05.753",
      "references": "[{\"url\": \"https://www.usom.gov.tr/bildirim/tr-24-1010\", \"source\": \"iletisim@usom.gov.tr\"}, {\"url\": \"https://www.usom.gov.tr/bildirim/tr-24-1010\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "iletisim@usom.gov.tr",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"iletisim@usom.gov.tr\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5625\",\"sourceIdentifier\":\"iletisim@usom.gov.tr\",\"published\":\"2024-07-18T18:15:05.753\",\"lastModified\":\"2024-11-21T09:48:02.390\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.\"},{\"lang\":\"es\",\"value\":\"La restricci\u00f3n inadecuada de la vulnerabilidad de referencia de entidades externas XML en PruvaSoft Informatics Apinizer Management Console permite la explosi\u00f3n de entidades externas de serializaci\u00f3n de datos. Este problema afecta a Apinizer Management Console: antes de 2024.05.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"iletisim@usom.gov.tr\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"iletisim@usom.gov.tr\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://www.usom.gov.tr/bildirim/tr-24-1010\",\"source\":\"iletisim@usom.gov.tr\"},{\"url\":\"https://www.usom.gov.tr/bildirim/tr-24-1010\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.usom.gov.tr/bildirim/tr-24-1010\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:18:06.243Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5625\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-18T17:23:51.362139Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-18T17:23:57.039Z\"}}], \"cna\": {\"title\": \"XML External Entity Injection in PruvaSoft Informatics\u0027 Apinizer Management Console\", \"source\": {\"defect\": [\"TR-24-1010\"], \"advisory\": \"TR-24-1010\", \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ak\\u0131n \\u015eENGEZER\"}], \"impacts\": [{\"capecId\": \"CAPEC-221\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-221 Data Serialization External Entities Blowup\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"PruvaSoft Informatics\", \"product\": \"Apinizer Management Console\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2024.05.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.usom.gov.tr/bildirim/tr-24-1010\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.\u003cp\u003eThis issue affects Apinizer Management Console: before 2024.05.1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"ca940d4e-fea4-4aa2-9a58-591a58b1ce21\", \"shortName\": \"TR-CERT\", \"dateUpdated\": \"2024-07-18T17:12:37.358Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5625\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:18:06.243Z\", \"dateReserved\": \"2024-06-04T08:50:37.804Z\", \"assignerOrgId\": \"ca940d4e-fea4-4aa2-9a58-591a58b1ce21\", \"datePublished\": \"2024-07-18T17:12:37.358Z\", \"assignerShortName\": \"TR-CERT\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.