CVE-2024-21545 (GCVE-0-2024-21545)
Vulnerability from cvelistv5 – Published: 2024-09-24 07:25 – Updated: 2024-09-24 14:57
VLAI?
Summary
Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.
When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.
Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read.
The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.
Severity ?
8.2 (High)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Proxmox | pve-manager |
Affected:
0 , < 7.4-19
(semver)
Affected: 8.0.0 , < 8.2.7 (semver) |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Rory McNamara (Snyk Security Research)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:proxmox:mail_gateway:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mail_gateway",
"vendor": "proxmox",
"versions": [
{
"lessThan": "7.2",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "8.1-1",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:proxmox:virtual_environment:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "virtual_environment",
"vendor": "proxmox",
"versions": [
{
"lessThan": "7.3",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "8.2-2",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T13:52:32.343980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:57:45.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pve-manager",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.4-19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.7",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-storage-perl",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.4-4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.5",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-http-server-perl",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "4.3.0",
"status": "affected",
"version": "3.2-1",
"versionType": "semver"
},
{
"lessThan": "5.1.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
},
{
"product": "pmg-api",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.3-12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-common-perl (Promox VE 8)",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "8.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "libpve-common-perl (Promox Mail Gateway 8)",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "8.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rory McNamara (Snyk Security Research)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019-\u003e\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "External Control of File Name or Path",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T07:25:12.184Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988"
},
{
"url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2024-21545",
"datePublished": "2024-09-24T07:25:12.184Z",
"dateReserved": "2023-12-22T12:33:20.124Z",
"dateUpdated": "2024-09-24T14:57:45.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \\u2018download\\u2019 or \\u2018data\\u2019-\u003e\\u2019download\\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \\u2019download\\u2019 object is defined and user controlled. This results in arbitrary file read.\\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.\"}, {\"lang\": \"es\", \"value\": \"Proxmox Virtual Environment es una plataforma de administraci\\u00f3n de servidores de c\\u00f3digo abierto para la virtualizaci\\u00f3n empresarial. Las protecciones insuficientes contra valores de respuesta de API maliciosos permiten que atacantes autenticados con privilegios \u0027Sys.Audit\u0027 o \u0027VM.Monitor\u0027 descarguen archivos de host arbitrarios a trav\\u00e9s de la API. Al manejar el resultado de un controlador de solicitud antes de devolverlo al usuario, la funci\\u00f3n handle_api2_request verificar\\u00e1 los objetos \u0027download\u0027 o \u0027data\u0027-\u0026gt;\u0027download\u0027 dentro del objeto de respuesta de llamada del controlador de solicitud. Si est\\u00e1 presente, handle_api2_request leer\\u00e1 un archivo local definido por este objeto y lo devolver\\u00e1 al usuario. Se identificaron dos endpoints que pueden controlar el objeto devuelto por un controlador de solicitud lo suficiente como para que el objeto \u0027download\u0027 est\\u00e9 definido y controlado por el usuario. Esto da como resultado la lectura de archivos arbitrarios. Los privilegios de esta lectura de archivos pueden provocar un compromiso total del sistema por varios impactos, como la divulgaci\\u00f3n de archivos confidenciales que permiten la falsificaci\\u00f3n de sesiones privilegiadas.\"}]",
"id": "CVE-2024-21545",
"lastModified": "2024-09-26T13:32:02.803",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.8}]}",
"published": "2024-09-25T01:15:40.180",
"references": "[{\"url\": \"https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988\", \"source\": \"report@snyk.io\"}]",
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-73\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-73\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-21545\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2024-09-25T01:15:40.180\",\"lastModified\":\"2024-09-26T13:32:02.803\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019-\u003e\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.\"},{\"lang\":\"es\",\"value\":\"Proxmox Virtual Environment es una plataforma de administraci\u00f3n de servidores de c\u00f3digo abierto para la virtualizaci\u00f3n empresarial. Las protecciones insuficientes contra valores de respuesta de API maliciosos permiten que atacantes autenticados con privilegios \u0027Sys.Audit\u0027 o \u0027VM.Monitor\u0027 descarguen archivos de host arbitrarios a trav\u00e9s de la API. Al manejar el resultado de un controlador de solicitud antes de devolverlo al usuario, la funci\u00f3n handle_api2_request verificar\u00e1 los objetos \u0027download\u0027 o \u0027data\u0027-\u0026gt;\u0027download\u0027 dentro del objeto de respuesta de llamada del controlador de solicitud. Si est\u00e1 presente, handle_api2_request leer\u00e1 un archivo local definido por este objeto y lo devolver\u00e1 al usuario. Se identificaron dos endpoints que pueden controlar el objeto devuelto por un controlador de solicitud lo suficiente como para que el objeto \u0027download\u0027 est\u00e9 definido y controlado por el usuario. Esto da como resultado la lectura de archivos arbitrarios. Los privilegios de esta lectura de archivos pueden provocar un compromiso total del sistema por varios impactos, como la divulgaci\u00f3n de archivos confidenciales que permiten la falsificaci\u00f3n de sesiones privilegiadas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345\",\"source\":\"report@snyk.io\"},{\"url\":\"https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988\",\"source\":\"report@snyk.io\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-21545\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-24T13:52:32.343980Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:proxmox:mail_gateway:*:*:*:*:*:*:*:*\"], \"vendor\": \"proxmox\", \"product\": \"mail_gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"7.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0\", \"lessThan\": \"8.1-1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:proxmox:virtual_environment:*:*:*:*:*:*:*:*\"], \"vendor\": \"proxmox\", \"product\": \"virtual_environment\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"7.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0\", \"lessThan\": \"8.2-2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73 External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-24T13:56:21.416Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Rory McNamara (Snyk Security Research)\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Proxmox\", \"product\": \"pve-manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.4-19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.2.7\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Proxmox\", \"product\": \"libpve-storage-perl\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.4-4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.2.5\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Proxmox\", \"product\": \"libpve-http-server-perl\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.2-1\", \"lessThan\": \"4.3.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.0.0\", \"lessThan\": \"5.1.1\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Proxmox\", \"product\": \"pmg-api\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.3-12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.1.4\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Proxmox\", \"product\": \"libpve-common-perl (Promox VE 8)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.2.3\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Proxmox\", \"product\": \"libpve-common-perl (Promox Mail Gateway 8)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.2.5\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988\"}, {\"url\": \"https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \\u2018download\\u2019 or \\u2018data\\u2019-\u003e\\u2019download\\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \\u2019download\\u2019 object is defined and user controlled. This results in arbitrary file read.\\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-73\", \"description\": \"External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2024-09-24T07:25:12.184Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-21545\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-24T14:57:45.924Z\", \"dateReserved\": \"2023-12-22T12:33:20.124Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2024-09-24T07:25:12.184Z\", \"assignerShortName\": \"snyk\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…