github - ghsa-v9w7-jfhc-2mj9

GHSA-V9W7-JFHC-2MJ9

Vulnerability from github – Published: 2024-10-10 09:30 – Updated: 2024-10-10 09:30

Details

The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-9802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-10T08:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.",
  "id": "GHSA-v9w7-jfhc-2mj9",
  "modified": "2024-10-10T09:30:35Z",
  "published": "2024-10-10T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9802"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zowe/api-layer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-9802 (GCVE-0-2024-9802)

Vulnerability from cvelistv5 – Published: 2024-10-10 07:41 – Updated: 2024-10-10 14:22

Summary

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Assigner

Zowe

References

URL

Tags

https://github.com/zowe/api-layer

product

Impacted products

	Vendor	Product	Version
	Open Mainframe Project	Zowe	Affected: 2.11.0 , < 2.17.0 (semver)

Credits

Pablo Hernan Carle Pavel Jareš

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "zowe_api_mediation_layer",
            "vendor": "linuxfoundation",
            "versions": [
              {
                "lessThan": "2.17.0",
                "status": "affected",
                "version": "2.11.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-10T13:45:19.081095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-312",
                "description": "CWE-312 Cleartext Storage of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-10T14:22:43.244Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zowe",
          "vendor": "Open Mainframe Project",
          "versions": [
            {
              "lessThan": "2.17.0",
              "status": "affected",
              "version": "2.11.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pablo Hernan Carle"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Pavel Jare\u0161"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "There are no known exploits of this issue however exploits targeting this issue are publicly available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-10T07:41:03.374Z",
        "orgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78",
        "shortName": "Zowe"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/zowe/api-layer"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "There is a fix since version 2.17.0, authentication is required for the endpoints."
        }
      ],
      "title": "Conformance validation endpoint discloses detail about service to unauthenticated users",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workaround is available."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78",
    "assignerShortName": "Zowe",
    "cveId": "CVE-2024-9802",
    "datePublished": "2024-10-10T07:41:03.374Z",
    "dateReserved": "2024-10-10T07:41:03.236Z",
    "dateUpdated": "2024-10-10T14:22:43.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-V9W7-JFHC-2MJ9

CVE-2024-9802 (GCVE-0-2024-9802)

Tags

Sightings

Nomenclature