Lucene search

HCLCVELIST:CVE-2024-23558

HistoryApr 15, 2024 - 9:00 p.m.

CVE-2024-23558 HCL DevOps Deploy / HCL Launch does not invalidate all session authentication cookies after logout

2024-04-1521:00:12

HCL

www.cve.org

cve-2024-23558

hcl devops

hcl launch

session authentication

vulnerability

impersonation

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

HCL DevOps Deploy / HCL Launch does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "DevOps Deploy / Launch",
    "vendor": "HCL Software",
    "versions": [
      {
        "status": "affected",
        "version": "7.0 - 7.0.5.20, 7.1 - 7.1.2.16,  7.2 - 7.2.3.9,  7.3 - 7.3.2.4, 8.0 - 8.0.0.1"
      }
    ]
  }
]

References

support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0111923