Lucene search

[email protected]CVE-2024-37393

HistoryJun 10, 2024 - 8:15 p.m.

CVE-2024-37393

2024-06-1020:15:15

CWE-319

[email protected]

web.nvd.nist.gov

ldap injection

securenvoy mfa

active directory

http endpoint

data exfiltration

laps feature

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.7 High

AI Score

Confidence

Low

0.013 Low

EPSS

Percentile

86.0%

JSON

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.

Affected configurations

NVD

Node

securenvoymulti-factor_authentication_solutionsRange<9.4.514

CPENameOperatorVersion
securenvoy:multi-factor_authentication_solutionssecurenvoy multi-factor authentication solutionslt9.4.514

CPE	Name	Operator	Version
securenvoy:multi-factor_authentication_solutions	securenvoy multi-factor authentication solutions	lt	9.4.514

References

learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/ad2ce8fa-42a0-4371-ad18-5d1d1c488b22

securenvoy.com/support/

www.optistream.io/blogs/tech/securenvoy-cve-2024-37393

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.7 High

AI Score

Confidence

Low

0.013 Low

EPSS

Percentile

86.0%

JSON

Related for CVE-2024-37393

vulnrichment1 nuclei1 cvelist1 githubexploit1 nvd1