9.8

CVE-2024-24765

Exploit

EPSS 0.46%
Veröffentlicht 06.03.2024 18:15:46
Zuletzt bearbeitet 26.02.2025 15:14:55
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Icewhale ≫ Casaos Version < 0.4.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.634

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-24765

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24765

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24765

EUVD