CVE-2024-37346 (GCVE-0-2024-37346)

Vulnerability from cvelistv5 – Published: 2024-06-20 16:51 – Updated: 2024-08-02 03:50
VLAI?
Summary
There is an insufficient input validation vulnerability in the Warehouse component of Absolute Secure Access prior to 13.06. Attackers with system administrator permissions can impair the availability of certain elements of the Secure Access administrative UI by writing invalid data to the warehouse over the network. There is no loss of warehouse integrity or confidentiality, the security scope is unchanged. Loss of availability is high.
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
Absolute Software Secure Access Affected: 0 , < 13.06 (Server)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37346",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-25T15:24:52.742650Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-25T15:24:58.961Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:50:55.993Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Secure Access",
          "vendor": "Absolute Software",
          "versions": [
            {
              "lessThan": "13.06",
              "status": "affected",
              "version": "0",
              "versionType": "Server"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is an insufficient input validation vulnerability in\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\nwith system administrator permissions can impair the availability of certain\nelements of the Secure Access administrative UI by writing invalid data to the\nwarehouse over the network. There is no loss of warehouse integrity or\nconfidentiality, the security scope is unchanged. Loss of availability is high.\n\u003c/p\u003e\n\n\n\n\n\n"
            }
          ],
          "value": "There is an insufficient input validation vulnerability in\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\nwith system administrator permissions can impair the availability of certain\nelements of the Secure Access administrative UI by writing invalid data to the\nwarehouse over the network. There is no loss of warehouse integrity or\nconfidentiality, the security scope is unchanged. Loss of availability is high."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-20T16:51:37.265Z",
        "orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
        "shortName": "Absolute"
      },
      "references": [
        {
          "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to Absolute Secure Access v13.06 or later. \u003cbr\u003e"
            }
          ],
          "value": "Upgrade to Absolute Secure Access v13.06 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient input validation vulnerability in the Absolute Secure Access Warehouse prior to 13.06",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
    "assignerShortName": "Absolute",
    "cveId": "CVE-2024-37346",
    "datePublished": "2024-06-20T16:51:37.265Z",
    "dateReserved": "2024-06-05T21:07:26.876Z",
    "dateUpdated": "2024-08-02T03:50:55.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"13.06\", \"matchCriteriaId\": \"1113DB3C-BD71-42ED-A4AF-0098AA744FD8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"There is an insufficient input validation vulnerability in\\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\\nwith system administrator permissions can impair the availability of certain\\nelements of the Secure Access administrative UI by writing invalid data to the\\nwarehouse over the network. There is no loss of warehouse integrity or\\nconfidentiality, the security scope is unchanged. Loss of availability is high.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de validaci\\u00f3n de entrada insuficiente en el componente Almac\\u00e9n de Absolute Secure Access antes de la versi\\u00f3n 13.06. Los atacantes con permisos de administrador del sistema pueden afectar la disponibilidad de ciertos elementos de la interfaz de usuario administrativa de Secure Access al escribir datos no v\\u00e1lidos en el almac\\u00e9n a trav\\u00e9s de la red. No hay p\\u00e9rdida de integridad o confidencialidad del almac\\u00e9n, el alcance de la seguridad no cambia. La p\\u00e9rdida de disponibilidad es alta.\"}]",
      "id": "CVE-2024-37346",
      "lastModified": "2024-11-21T09:23:41.620",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"SecurityResponse@netmotionsoftware.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}]}",
      "published": "2024-06-20T17:15:51.623",
      "references": "[{\"url\": \"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/\", \"source\": \"SecurityResponse@netmotionsoftware.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "SecurityResponse@netmotionsoftware.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"SecurityResponse@netmotionsoftware.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-37346\",\"sourceIdentifier\":\"SecurityResponse@netmotionsoftware.com\",\"published\":\"2024-06-20T17:15:51.623\",\"lastModified\":\"2024-11-21T09:23:41.620\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is an insufficient input validation vulnerability in\\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\\nwith system administrator permissions can impair the availability of certain\\nelements of the Secure Access administrative UI by writing invalid data to the\\nwarehouse over the network. There is no loss of warehouse integrity or\\nconfidentiality, the security scope is unchanged. Loss of availability is high.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de validaci\u00f3n de entrada insuficiente en el componente Almac\u00e9n de Absolute Secure Access antes de la versi\u00f3n 13.06. Los atacantes con permisos de administrador del sistema pueden afectar la disponibilidad de ciertos elementos de la interfaz de usuario administrativa de Secure Access al escribir datos no v\u00e1lidos en el almac\u00e9n a trav\u00e9s de la red. No hay p\u00e9rdida de integridad o confidencialidad del almac\u00e9n, el alcance de la seguridad no cambia. La p\u00e9rdida de disponibilidad es alta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"13.06\",\"matchCriteriaId\":\"1113DB3C-BD71-42ED-A4AF-0098AA744FD8\"}]}]}],\"references\":[{\"url\":\"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/\",\"source\":\"SecurityResponse@netmotionsoftware.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37346\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-25T15:24:52.742650Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-25T15:24:56.451Z\"}}], \"cna\": {\"title\": \"Insufficient input validation vulnerability in the Absolute Secure Access Warehouse prior to 13.06\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Absolute Software\", \"product\": \"Secure Access\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"13.06\", \"versionType\": \"Server\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to Absolute Secure Access v13.06 or later.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade to Absolute Secure Access v13.06 or later. \u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37346/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There is an insufficient input validation vulnerability in\\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\\nwith system administrator permissions can impair the availability of certain\\nelements of the Secure Access administrative UI by writing invalid data to the\\nwarehouse over the network. There is no loss of warehouse integrity or\\nconfidentiality, the security scope is unchanged. Loss of availability is high.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThere is an insufficient input validation vulnerability in\\nthe Warehouse component of Absolute Secure Access prior to 13.06. Attackers\\nwith system administrator permissions can impair the availability of certain\\nelements of the Secure Access administrative UI by writing invalid data to the\\nwarehouse over the network. There is no loss of warehouse integrity or\\nconfidentiality, the security scope is unchanged. Loss of availability is high.\\n\u003c/p\u003e\\n\\n\\n\\n\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"b6533044-ea05-4482-8458-7bddeca0d079\", \"shortName\": \"Absolute\", \"dateUpdated\": \"2024-06-20T16:51:37.265Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-37346\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-06-25T15:24:58.961Z\", \"dateReserved\": \"2024-06-05T21:07:26.876Z\", \"assignerOrgId\": \"b6533044-ea05-4482-8458-7bddeca0d079\", \"datePublished\": \"2024-06-20T16:51:37.265Z\", \"assignerShortName\": \"Absolute\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.