CVE-2024-24765

2024-03-0618:15:46

CWE-200

[email protected]

web.nvd.nist.gov

casaos

userservice

unauthorized access

system files

cve-2024-24765

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.7%

JSON

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

Affected configurations

Vulners

Node

icewhaletechcasaos_userserviceRange<0.4.7

CNA Affected

[
  {
    "vendor": "IceWhaleTech",
    "product": "CasaOS-UserService",
    "versions": [
      {
        "version": "< 0.4.7",
        "status": "affected"
      }
    ]
  }
]