CVE-2018-10465 - OpenCVE

Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jamf	Jamf

Configuration 1 [-]

cpe:2.3:a:jamf:jamf:*:*:*:*:pro:*:*:*

No data.

References

Link	Providers
https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-07T18:58:45

Updated: 2024-08-05T07:39:07.525Z

Reserved: 2018-04-26T00:00:00

Link: CVE-2018-10465

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-07T19:15:10.307

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-10465

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-07T18:58:45", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-10465", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html", "refsource": "CONFIRM", "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:39:07.525Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-10465", "datePublished": "2020-01-07T18:58:45", "dateReserved": "2018-04-26T00:00:00", "dateUpdated": "2024-08-05T07:39:07.525Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jamf:jamf:*:*:*:*:pro:*:*:*", "matchCriteriaId": "726ACC05-4297-4232-83EE-9DCC5A677257", "versionEndExcluding": "10.3.0", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro."}, {"lang": "es", "value": "Jamf Pro versiones 10.x anteriores a la versi\u00f3n 10.3.0, tiene un Control de Acceso Incorrecto. Las cuentas de usuario y los grupos de Jamf Pro con acceso para iniciar sesi\u00f3n en Jamf Pro pose\u00edan acceso completo a los endpoints en la Universal API (UAPI), independientemente de los privilegios o los conjuntos de privilegios de la cuenta. Una cuenta de Jamf Pro autenticada sin los privilegios requeridos puede ser usada para realizar acciones CRUD (GET, POST, PUT, DELETE) en los endpoints UAPI, lo que podr\u00eda resultar en una divulgaci\u00f3n de informaci\u00f3n no autorizada, una integridad de datos comprometida y una p\u00e9rdida de datos. Para un listado completo de los endpoints UAPI disponibles y las acciones CRUD asociadas, puede navegar en /uapi/doc en su instancia de Jamf Pro."}], "id": "CVE-2018-10465", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-07T19:15:10.307", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}