CVE-2024-39324

2024-07-0221:15:11

CWE-863

CWE-1220

GitHub_M

web.nvd.nist.gov

aimeos graphql api

improper access control

editors

manage services

patch

CVSS3

3.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

AI Score

4.3

Confidence

High

EPSS

Percentile

15.8%

JSON

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn’t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.

Affected configurations

Vulners

Node

aimeosai_admin_jsonadmRange2022.04.1–2022.10.10

aimeosai_admin_jsonadmRange2023.04.1–2023.10.6

aimeosai_admin_jsonadm

VendorProductVersionCPE
aimeosai_admin_jsonadm*cpe:2.3:a:aimeos:ai_admin_jsonadm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aimeos	ai_admin_jsonadm	*	cpe:2.3:a:aimeos:ai_admin_jsonadm::::::::

CNA Affected

[
  {
    "vendor": "aimeos",
    "product": "ai-admin-graphql",
    "versions": [
      {
        "version": ">= 2022.04.1, < 2022.10.10",
        "status": "affected"
      },
      {
        "version": ">= 2023.04.1, < 2023.10.6",
        "status": "affected"
      },
      {
        "version": "= 2024.04.1",
        "status": "affected"
      }
    ]
  }
]