CVE-2024-4465

An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.
References
Link Resource
https://security.nozominetworks.com/NN-2024:2-01 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*

History

20 Sep 2024, 13:15

Type Values Removed Values Added
Summary (en) An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. (en) An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.

18 Sep 2024, 20:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.0
v2 : unknown
v3 : 5.0
First Time Nozominetworks
Nozominetworks cmc
Nozominetworks guardian
CPE cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Summary
  • (es) Se descubrió una vulnerabilidad de control de acceso en la sección Informes debido a que una restricción de acceso específica no se aplica correctamente para los usuarios con privilegios limitados. Si un usuario conectado con privilegios de informes aprende a crear una solicitud de aplicación específica, podría realizar cambios limitados en la configuración de informes. Esto podría provocar una pérdida parcial de la integridad de los datos. En las instancias de Guardian/CMC con una configuración de informes, podría haber impactos limitados de denegación de servicio (DoS), ya que los informes podrían no llegar a su destino previsto, y también podría haber impactos limitados de divulgación de información. Además, modificar el servidor SMTP de destino para los informes podría provocar la vulneración de credenciales externas, ya que podrían enviarse a un servidor no autorizado.
References () https://security.nozominetworks.com/NN-2024:2-01 - () https://security.nozominetworks.com/NN-2024:2-01 - Vendor Advisory

11 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-11 15:15

Updated : 2024-09-20 13:15


NVD link : CVE-2024-4465

Mitre link : CVE-2024-4465

CVE.ORG link : CVE-2024-4465


JSON object : View

Products Affected

nozominetworks

  • guardian
  • cmc
CWE
CWE-863

Incorrect Authorization