CVE-2024-8260

2024-08-3013:15:12

CWE-294

tenable

web.nvd.nist.gov

smb force-authentication

opa for windows

input validation

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

9.5%

JSON

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

Affected configurations

Nvd

Node

openpolicyagentopen_policy_agentRange<0.68.0

AND

microsoftwindowsMatch-

VendorProductVersionCPE
openpolicyagentopen_policy_agent*cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openpolicyagent	open_policy_agent	*	cpe:2.3:a:openpolicyagent:open_policy_agent::::::::
microsoft	windows	-	cpe:2.3:o:microsoft:windows:-:::::::*

CNA Affected

[
  {
    "collectionURL": "https://github.com/open-policy-agent/opa",
    "defaultStatus": "unaffected",
    "product": "OPA",
    "vendor": "Styra",
    "versions": [
      {
        "lessThan": "v0.68.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]