Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveNozomiCVE-2024-4465
HistorySep 11, 2024 - 3:15 p.m.

CVE-2024-4465

2024-09-1115:15:18
CWE-863
Nozomi
web.nvd.nist.gov
29
access control
reports section
loss of data integrity
denial of service
information disclosure
smtp server compromise
external credentials

CVSS3

6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

CVSS4

5.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/SC:H/VI:L/SI:H/VA:L/SA:H

AI Score

5.1

Confidence

High

EPSS

0

Percentile

14.1%

JSON

An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges.

If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.

Affected configurations

Nvd
Node
nozominetworkscmcRange<24.2.0
OR
nozominetworksguardianRange<24.2.0
VendorProductVersionCPE
nozominetworkscmc*cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
nozominetworksguardian*cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Guardian",
    "vendor": "Nozomi Networks",
    "versions": [
      {
        "lessThan": "24.2.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "CMC",
    "vendor": "Nozomi Networks",
    "versions": [
      {
        "lessThan": "24.2.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Related

vulnrichment 1
cvelist 1
nvd 1
vulnrichment
vulnrichment
CVE-2024-4465 Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0
2024-09-11 14:45:21
cvelist
cvelist
CVE-2024-4465 Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0
2024-09-11 14:45:21
nvd
nvd
CVE-2024-4465
2024-09-11 15:15:18

CVSS3

6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

CVSS4

5.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/SC:H/VI:L/SI:H/VA:L/SA:H

AI Score

5.1

Confidence

High

EPSS

0

Percentile

14.1%

JSON
Related for CVE-2024-4465
vulnrichment1cvelist1nvd1