Veracode Vulnerability DatabaseVERACODE:46048Improper Privilege Management
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%
org.igniterealtime.openfire:xmppserver is vulnerable to Improper Privilege Management. The vulnerability is caused by the lack of proper validation of user privileges when a user account is deleted and subsequently recreated with the same username. This allows an attacker to exploit the system and automatically gain administrative privileges upon recreating a user account with the same name.
References
github.com/advisories/GHSA-5xvc-rwv8-86p7
github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java
github.com/igniterealtime/Openfire/commit/5c022bfa82d71d1710381ab395b100cdbcb8f310
www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421
www.igniterealtime.org/projects/openfire/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%