Lucene search

[email protected]NVD:CVE-2024-27905

HistoryFeb 27, 2024 - 3:15 p.m.

CVE-2024-27905

2024-02-2715:15:07

CWE-200

[email protected]

web.nvd.nist.gov

cve-2024-27905

apache aurora

sensitive information

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

UNSUPPORTED WHEN ASSIGNED Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.

An endpoint exposing internals to unauthenticated users can be used as a “padding oracle” allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

www.openwall.com/lists/oss-security/2024/02/27/3

lists.apache.org/thread/564kbv3wqdzkscmdn2bg4vlk48qymryp

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-27905

prion1 vulnrichment1 cvelist1 cve1