Lucene search

FortraCVELIST:CVE-2024-4332

HistoryJun 03, 2024 - 5:38 p.m.

CVE-2024-4332 Improper Authentication in Tripwire Enterprise 9.1.0 APIs

2024-06-0317:38:54

CWE-303

Fortra

www.cve.org

cve-2024-4332

improper authentication

tripwire enterprise

ldap/active directory

saml

remote attackers

information disclosure

modification

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:N/S:N/AU:Y/U:Red/R:U/V:C/RE:L

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional “Auto-synchronize LDAP Users, Roles, and Groups” feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "API authentication",
      "REST API",
      "SOAP API"
    ],
    "product": "Tripwire Enterprise",
    "vendor": "Fortra",
    "versions": [
      {
        "status": "affected",
        "version": "9.1.0"
      }
    ]
  }
]

References

www.fortra.com/security/advisory/fi-2024-006

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:N/S:N/AU:Y/U:Red/R:U/V:C/RE:L

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-4332