Lucene search

ZoweCVE-2024-6834

HistoryJul 17, 2024 - 3:15 p.m.

CVE-2024-6834

2024-07-1715:15:14

CWE-250

Zowe

web.nvd.nist.gov

cve-2024-6834

user privileges

proxied request

internal client certificate

user credentials

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

9.3%

JSON

A vulnerability in APIML Spring Cloud Gateway which leverages user privileges by unexpected signing proxied request by Zowe’s client certificate. This allows access to a user to the endpoints requiring an internal client certificate without any credentials. It could lead to managing components in there and allow an attacker to handle the whole communication including user credentials.

CNA Affected

[
  {
    "vendor": "Open Mainframe Project",
    "product": "Zowe",
    "versions": [
      {
        "version": "2.4.0",
        "status": "affected",
        "lessThan": "2.14.0",
        "versionType": "semver"
      }
    ]
  }
]

References

github.com/zowe/api-layer

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

9.3%

JSON

Related for CVE-2024-6834