Lucene search

GitHub Advisory DatabaseGHSA-5XVC-RWV8-86P7

HistoryMar 26, 2024 - 9:30 p.m.

Ignite Realtime Openfire privilege escalation vulnerability

2024-03-2621:30:47

CWE-273

CWE-863

GitHub Advisory Database

github.com

ignite realtime

openfire

privilege escalation

vulnerability

remote attacker

admin.authorizedjids

system property

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

15.5%

JSON

An issue in Ignite Realtime Openfire v.4.8.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.

Affected configurations

Vulners

Node

org.igniterealtime.openfirexmppserverRange<4.8.1

VendorProductVersionCPE
org.igniterealtime.openfirexmppserver*cpe:2.3:a:org.igniterealtime.openfire:xmppserver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.igniterealtime.openfire	xmppserver	*	cpe:2.3:a:org.igniterealtime.openfire:xmppserver::::::::

References

github.com/advisories/GHSA-5xvc-rwv8-86p7

github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java

github.com/igniterealtime/Openfire/commit/5c022bfa82d71d1710381ab395b100cdbcb8f310

nvd.nist.gov/vuln/detail/CVE-2024-25420

www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421

www.igniterealtime.org/projects/openfire

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for GHSA-5XVC-RWV8-86P7