cve-2024-43376
Vulnerability from cvelistv5
Published
2024-08-20 14:40
Modified
2024-08-20 17:40
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information
References
security-advisories@github.comhttps://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004Patch
security-advisories@github.comhttps://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvxVendor Advisory
Impacted products
umbracoUmbraco-CMS
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43376",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-20T17:39:49.675110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-20T17:40:07.164Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Umbraco-CMS",
          "vendor": "umbraco",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 14.0.0, \u003c 14.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-20T14:40:20.338Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx"
        },
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004"
        }
      ],
      "source": {
        "advisory": "GHSA-77gj-crhp-3gvx",
        "discovery": "UNKNOWN"
      },
      "title": "Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43376",
    "datePublished": "2024-08-20T14:40:20.338Z",
    "dateReserved": "2024-08-09T14:23:55.514Z",
    "dateUpdated": "2024-08-20T17:40:07.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43376\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-20T15:15:23.277\",\"lastModified\":\"2024-08-26T18:24:06.530\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.\"},{\"lang\":\"es\",\"value\":\"Umbraco es un CMS ASP.NET. Algunos endpoints de la API de administraci\u00f3n pueden devolver informaci\u00f3n de seguimiento de la pila, incluso cuando Umbraco no est\u00e1 en modo de depuraci\u00f3n. Esta vulnerabilidad se soluciona en 14.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndExcluding\":\"14.1.2\",\"matchCriteriaId\":\"DDE797CA-C733-40BA-96B9-C114B93160F0\"}]}]}],\"references\":[{\"url\":\"https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.