Lucene search

FortraCVE-2024-4332

HistoryJun 03, 2024 - 6:15 p.m.

CVE-2024-4332

2024-06-0318:15:09

CWE-303

Fortra

web.nvd.nist.gov

cve-2024-4332

nvd

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:N/S:N/AU:Y/U:Red/R:U/V:C/RE:L

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional “Auto-synchronize LDAP Users, Roles, and Groups” feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "API authentication",
      "REST API",
      "SOAP API"
    ],
    "product": "Tripwire Enterprise",
    "vendor": "Fortra",
    "versions": [
      {
        "status": "affected",
        "version": "9.1.0"
      }
    ]
  }
]

References

www.fortra.com/security/advisory/fi-2024-006

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:N/S:N/AU:Y/U:Red/R:U/V:C/RE:L

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-4332