5.3

CVE-2024-37162

EPSS 0.32%
Veröffentlicht 07.06.2024 15:15:50
Zuletzt bearbeitet 21.11.2024 09:23:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Idopesok ≫ Zsa Version < 0.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.546

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4	2.5	1.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

https://github.com/IdoPesok/zsa/commit/86b86b282bde6780963f62406cc8bc65f2c86f3a

Patch

https://github.com/IdoPesok/zsa/security/advisories/GHSA-wjmj-h3xc-hxp8

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-37162

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37162

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37162

EUVD