Lucene search

Rapid7VULNRICHMENT:CVE-2024-6922

HistoryJul 26, 2024 - 1:52 p.m.

CVE-2024-6922 Server-Side Request Forgery in Automation 360

2024-07-2613:52:28

CWE-918

rapid7

github.com

automation 360

server-side request forgery

vulnerability

web api

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:L/SI:N/VA:N/SA:N

AI Score

Confidence

High

EPSS

0.001

Percentile

18.9%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server.

CNA Affected

[
  {
    "vendor": "Automationanywhere",
    "modules": [
      "API"
    ],
    "product": "Automation 360",
    "versions": [
      {
        "status": "affected",
        "version": "21",
        "versionType": "cpe",
        "lessThanOrEqual": "32"
      }
    ],
    "platforms": [
      "Windows",
      "Linux"
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.automationanywhere.com/products/automation-360

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:L/SI:N/VA:N/SA:N

AI Score

Confidence

High

EPSS

0.001

Percentile

18.9%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-6922