cnvd - cnvd-2020-18629

CNVD-2020-18629

Vulnerability from cnvd - Published: 2020-03-22

Title

Jamf Pro授权问题漏洞

Description

Jamf Pro是美国Jamf公司的一套Apple设备管理解决方案。 Jamf Pro存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。攻击者可利用该漏导致未授权信息泄露，数据完整性受损和数据丢失。

Severity

中

Patch Name

Jamf Pro授权问题漏洞的补丁

Patch Description

Jamf Pro是美国Jamf公司的一套Apple设备管理解决方案。 Jamf Pro存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。攻击者可利用该漏导致未授权信息泄露，数据完整性受损和数据丢失。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-10465

Impacted products

Name
Jamf Jamf Pro 10.*，<10.3.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10465",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-10465"
    }
  },
  "description": "Jamf Pro\u662f\u7f8e\u56fdJamf\u516c\u53f8\u7684\u4e00\u5957Apple\u8bbe\u5907\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\n\nJamf Pro\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u5c11\u8eab\u4efd\u9a8c\u8bc1\u63aa\u65bd\u6216\u8eab\u4efd\u9a8c\u8bc1\u5f3a\u5ea6\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u5bfc\u81f4\u672a\u6388\u6743\u4fe1\u606f\u6cc4\u9732\uff0c\u6570\u636e\u5b8c\u6574\u6027\u53d7\u635f\u548c\u6570\u636e\u4e22\u5931\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-18629",
  "openTime": "2020-03-22",
  "patchDescription": "Jamf Pro\u662f\u7f8e\u56fdJamf\u516c\u53f8\u7684\u4e00\u5957Apple\u8bbe\u5907\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nJamf Pro\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u5c11\u8eab\u4efd\u9a8c\u8bc1\u63aa\u65bd\u6216\u8eab\u4efd\u9a8c\u8bc1\u5f3a\u5ea6\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u5bfc\u81f4\u672a\u6388\u6743\u4fe1\u606f\u6cc4\u9732\uff0c\u6570\u636e\u5b8c\u6574\u6027\u53d7\u635f\u548c\u6570\u636e\u4e22\u5931\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Jamf Pro\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Jamf Jamf Pro 10.*\uff0c\u003c10.3.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-10465",
  "serverity": "\u4e2d",
  "submitTime": "2020-02-05",
  "title": "Jamf Pro\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2018-10465 (GCVE-0-2018-10465)

Vulnerability from cvelistv5 – Published: 2020-01-07 18:58 – Updated: 2024-08-05 07:39

Summary

Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://docs.jamf.com/10.3.0/jamf-pro/release-not…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:07.525Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-07T18:58:45",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10465",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html",
              "refsource": "CONFIRM",
              "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-10465",
    "datePublished": "2020-01-07T18:58:45",
    "dateReserved": "2018-04-26T00:00:00",
    "dateUpdated": "2024-08-05T07:39:07.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-18629

CVE-2018-10465 (GCVE-0-2018-10465)

Tags

Sightings

Nomenclature