CVE-2024-9984

Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/en/cp-139-8151-1a4b5-2.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-8150-c955a-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ragic:enterprise_cloud_database:*:*:*:*:*:*:*:*

History

16 Oct 2024, 22:03

Type	Values Removed	Values Added
References	~~() https://www.twcert.org.tw/en/cp-139-8151-1a4b5-2.html -~~	() https://www.twcert.org.tw/en/cp-139-8151-1a4b5-2.html - Third Party Advisory
References	~~() https://www.twcert.org.tw/tw/cp-132-8150-c955a-1.html -~~	() https://www.twcert.org.tw/tw/cp-132-8150-c955a-1.html - Third Party Advisory
First Time		Ragic enterprise Cloud Database Ragic
CPE		cpe:2.3:a:ragic:enterprise_cloud_database::::::::

15 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Enterprise Cloud Database de Ragic no autentica el acceso a una funcionalidad específica, lo que permite que atacantes remotos no autenticados utilicen esta funcionalidad para obtener la cookie de sesión de cualquier usuario.

15 Oct 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-15 09:15

Updated : 2024-10-16 22:03

NVD link : CVE-2024-9984

Mitre link : CVE-2024-9984

CVE.ORG link : CVE-2024-9984

JSON object : View

Products Affected

ragic

enterprise_cloud_database

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2024-9984", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-15T09:15:04.480", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-8151-1a4b5-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-8150-c955a-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie."}, {"lang": "es", "value": "Enterprise Cloud Database de Ragic no autentica el acceso a una funcionalidad espec\u00edfica, lo que permite que atacantes remotos no autenticados utilicen esta funcionalidad para obtener la cookie de sesi\u00f3n de cualquier usuario."}], "lastModified": "2024-10-16T22:03:23.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ragic:enterprise_cloud_database:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "123DB9B3-4CC2-4700-B34E-B6BC405B33A6", "versionEndExcluding": "2024-08-08"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}