cve-2024-21545
Vulnerability from cvelistv5
Published
2024-09-24 07:25
Modified
2024-09-24 14:57
Severity ?
EPSS score ?
Summary
Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.
When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.
Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read.
The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Proxmox | pve-manager |
Version: 0 ≤ Version: 8.0.0 ≤ |
||||||||||||||||||||
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:proxmox:mail_gateway:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mail_gateway",
"vendor": "proxmox",
"versions": [
{
"lessThan": "7.2",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "8.1-1",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:proxmox:virtual_environment:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "virtual_environment",
"vendor": "proxmox",
"versions": [
{
"lessThan": "7.3",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "8.2-2",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T13:52:32.343980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:57:45.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pve-manager",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.4-19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.7",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-storage-perl",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.4-4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.5",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-http-server-perl",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "4.3.0",
"status": "affected",
"version": "3.2-1",
"versionType": "semver"
},
{
"lessThan": "5.1.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
},
{
"product": "pmg-api",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "7.3-12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
},
{
"product": "libpve-common-perl (Promox VE 8)",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "8.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "libpve-common-perl (Promox Mail Gateway 8)",
"vendor": "Proxmox",
"versions": [
{
"lessThan": "8.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rory McNamara (Snyk Security Research)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019-\u003e\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "External Control of File Name or Path",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T07:25:12.184Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988"
},
{
"url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2024-21545",
"datePublished": "2024-09-24T07:25:12.184Z",
"dateReserved": "2023-12-22T12:33:20.124Z",
"dateUpdated": "2024-09-24T14:57:45.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-21545\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2024-09-25T01:15:40.180\",\"lastModified\":\"2024-09-26T13:32:02.803\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with \u0027Sys.Audit\u0027 or \u0027VM.Monitor\u0027 privileges to download arbitrary host files via the API.\\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019-\u003e\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.\"},{\"lang\":\"es\",\"value\":\"Proxmox Virtual Environment es una plataforma de administraci\u00f3n de servidores de c\u00f3digo abierto para la virtualizaci\u00f3n empresarial. Las protecciones insuficientes contra valores de respuesta de API maliciosos permiten que atacantes autenticados con privilegios \u0027Sys.Audit\u0027 o \u0027VM.Monitor\u0027 descarguen archivos de host arbitrarios a trav\u00e9s de la API. Al manejar el resultado de un controlador de solicitud antes de devolverlo al usuario, la funci\u00f3n handle_api2_request verificar\u00e1 los objetos \u0027download\u0027 o \u0027data\u0027-\u0026gt;\u0027download\u0027 dentro del objeto de respuesta de llamada del controlador de solicitud. Si est\u00e1 presente, handle_api2_request leer\u00e1 un archivo local definido por este objeto y lo devolver\u00e1 al usuario. Se identificaron dos endpoints que pueden controlar el objeto devuelto por un controlador de solicitud lo suficiente como para que el objeto \u0027download\u0027 est\u00e9 definido y controlado por el usuario. Esto da como resultado la lectura de archivos arbitrarios. Los privilegios de esta lectura de archivos pueden provocar un compromiso total del sistema por varios impactos, como la divulgaci\u00f3n de archivos confidenciales que permiten la falsificaci\u00f3n de sesiones privilegiadas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345\",\"source\":\"report@snyk.io\"},{\"url\":\"https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988\",\"source\":\"report@snyk.io\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.