CVE-2024-2053

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-2053
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://seclists.org/fulldisclosure/2024/Mar/11
https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt
http://seclists.org/fulldisclosure/2024/Mar/11
https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt
Configurations

No configuration.

History

21 Nov 2024, 09:08

Type Values Removed Values Added
References () http://seclists.org/fulldisclosure/2024/Mar/11 - () http://seclists.org/fulldisclosure/2024/Mar/11 -
References () https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt - () https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt -

06 Aug 2024, 15:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
Summary
  • (es) La aplicación web administrativa Artica Proxy deserializará objetos PHP arbitrarios proporcionados por usuarios no autenticados y posteriormente permitirá la ejecución de código como usuario "www-data". Este problema se demostró en la versión 4.50 de La aplicación web administrativa Artica-Proxy intenta evitar la inclusión de archivos locales. Estas protecciones se pueden eludir y las solicitudes de archivos arbitrarias proporcionadas por usuarios no autenticados se devolverán de acuerdo con los privilegios del usuario "www-data".

21 Mar 2024, 02:52

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-21 02:52

Updated : 2024-11-21 09:08

NVD link : CVE-2024-2053

Mitre link : CVE-2024-2053

CVE.ORG link : CVE-2024-2053

JSON object : View

Products Affected

No product.

CWE
CWE-23

Relative Path Traversal


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024