CVE-2024-33891

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-33891
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://delinea.com/products/secret-server
https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
https://delinea.com/products/secret-server
https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
Configurations

No configuration.

History

21 Nov 2024, 09:17

Type Values Removed Values Added
References () https://delinea.com/products/secret-server - () https://delinea.com/products/secret-server -
References () https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm - () https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm -
References () https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 - () https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 -
References () https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 - () https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 -

03 Jul 2024, 01:59

Type Values Removed Values Added
Summary
  • (es) Delinea Secret Server anterior a 11.7.000001 permite a los atacantes eludir la autenticación a través de la API SOAP en SecretServer/webservices/SSWebService.asmx. Esto está relacionado con una clave codificada, el uso del número entero 2 para el usuario administrador y la eliminación del atributo oauthExpirationId.
CWE CWE-321

28 Apr 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-28 23:15

Updated : 2024-11-21 09:17

NVD link : CVE-2024-33891

Mitre link : CVE-2024-33891

CVE.ORG link : CVE-2024-33891

JSON object : View

Products Affected

No product.

CWE
CWE-321

Use of Hard-coded Cryptographic Key


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024