{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21545", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.124Z", "datePublished": "2024-09-24T07:25:12.184Z", "dateUpdated": "2024-09-24T14:57:45.924Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"}}], "credits": [{"value": "Rory McNamara (Snyk Security Research)", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "External Control of File Name or Path", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-09-24T07:25:12.184Z"}, "descriptions": [{"value": "Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019->\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.", "lang": "en"}], "references": [{"url": "https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988"}, {"url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345"}], "affected": [{"product": "pve-manager", "versions": [{"version": "0", "lessThan": "7.4-19", "status": "affected", "versionType": "semver"}, {"version": "8.0.0", "lessThan": "8.2.7", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}, {"product": "libpve-storage-perl", "versions": [{"version": "0", "lessThan": "7.4-4", "status": "affected", "versionType": "semver"}, {"version": "8.0.0", "lessThan": "8.2.5", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}, {"product": "libpve-http-server-perl", "versions": [{"version": "3.2-1", "lessThan": "4.3.0", "status": "affected", "versionType": "semver"}, {"version": "5.0.0", "lessThan": "5.1.1", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}, {"product": "pmg-api", "versions": [{"version": "0", "lessThan": "7.3-12", "status": "affected", "versionType": "semver"}, {"version": "8.0.0", "lessThan": "8.1.4", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}, {"product": "libpve-common-perl (Promox VE 8)", "versions": [{"version": "0", "lessThan": "8.2.3", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}, {"product": "libpve-common-perl (Promox Mail Gateway 8)", "versions": [{"version": "0", "lessThan": "8.2.5", "status": "affected", "versionType": "semver"}], "vendor": "Proxmox"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "CWE-73 External Control of File Name or Path"}]}], "affected": [{"vendor": "proxmox", "product": "mail_gateway", "cpes": ["cpe:2.3:a:proxmox:mail_gateway:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0", "status": "affected", "lessThan": "7.2", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.1-1", "versionType": "semver"}]}, {"vendor": "proxmox", "product": "virtual_environment", "cpes": ["cpe:2.3:a:proxmox:virtual_environment:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0", "status": "affected", "lessThan": "7.3", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.2-2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T13:52:32.343980Z", "id": "CVE-2024-21545", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T14:57:45.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21545", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-24T13:52:32.343980Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:proxmox:mail_gateway:*:*:*:*:*:*:*:*"], "vendor": "proxmox", "product": "mail_gateway", "versions": [{"status": "affected", "version": "6.0", "lessThan": "7.2", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.1-1", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:proxmox:virtual_environment:*:*:*:*:*:*:*:*"], "vendor": "proxmox", "product": "virtual_environment", "versions": [{"status": "affected", "version": "6.0", "lessThan": "7.3", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.2-2", "versionType": "semver"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T13:56:21.416Z"}}], "cna": {"credits": [{"lang": "en", "value": "Rory McNamara (Snyk Security Research)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Proxmox", "product": "pve-manager", "versions": [{"status": "affected", "version": "0", "lessThan": "7.4-19", "versionType": "semver"}, {"status": "affected", "version": "8.0.0", "lessThan": "8.2.7", "versionType": "semver"}]}, {"vendor": "Proxmox", "product": "libpve-storage-perl", "versions": [{"status": "affected", "version": "0", "lessThan": "7.4-4", "versionType": "semver"}, {"status": "affected", "version": "8.0.0", "lessThan": "8.2.5", "versionType": "semver"}]}, {"vendor": "Proxmox", "product": "libpve-http-server-perl", "versions": [{"status": "affected", "version": "3.2-1", "lessThan": "4.3.0", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.1.1", "versionType": "semver"}]}, {"vendor": "Proxmox", "product": "pmg-api", "versions": [{"status": "affected", "version": "0", "lessThan": "7.3-12", "versionType": "semver"}, {"status": "affected", "version": "8.0.0", "lessThan": "8.1.4", "versionType": "semver"}]}, {"vendor": "Proxmox", "product": "libpve-common-perl (Promox VE 8)", "versions": [{"status": "affected", "version": "0", "lessThan": "8.2.3", "versionType": "semver"}]}, {"vendor": "Proxmox", "product": "libpve-common-perl (Promox Mail Gateway 8)", "versions": [{"status": "affected", "version": "0", "lessThan": "8.2.5", "versionType": "semver"}]}], "references": [{"url": "https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988"}, {"url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345"}], "descriptions": [{"lang": "en", "value": "Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019->\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-09-24T07:25:12.184Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21545", "state": "PUBLISHED", "dateUpdated": "2024-09-24T14:57:45.924Z", "dateReserved": "2023-12-22T12:33:20.124Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-09-24T07:25:12.184Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.\nWhen handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the \u2018download\u2019 or \u2018data\u2019->\u2019download\u2019 objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.\nTwo endpoints were identified which can control the object returned by a request handler sufficiently that the \u2019download\u2019 object is defined and user controlled. This results in arbitrary file read.\nThe privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery."}, {"lang": "es", "value": "Proxmox Virtual Environment es una plataforma de administraci\u00f3n de servidores de c\u00f3digo abierto para la virtualizaci\u00f3n empresarial. Las protecciones insuficientes contra valores de respuesta de API maliciosos permiten que atacantes autenticados con privilegios 'Sys.Audit' o 'VM.Monitor' descarguen archivos de host arbitrarios a trav\u00e9s de la API. Al manejar el resultado de un controlador de solicitud antes de devolverlo al usuario, la funci\u00f3n handle_api2_request verificar\u00e1 los objetos 'download' o 'data'->'download' dentro del objeto de respuesta de llamada del controlador de solicitud. Si est\u00e1 presente, handle_api2_request leer\u00e1 un archivo local definido por este objeto y lo devolver\u00e1 al usuario. Se identificaron dos endpoints que pueden controlar el objeto devuelto por un controlador de solicitud lo suficiente como para que el objeto 'download' est\u00e9 definido y controlado por el usuario. Esto da como resultado la lectura de archivos arbitrarios. Los privilegios de esta lectura de archivos pueden provocar un compromiso total del sistema por varios impactos, como la divulgaci\u00f3n de archivos confidenciales que permiten la falsificaci\u00f3n de sesiones privilegiadas."}], "id": "CVE-2024-21545", "lastModified": "2024-09-26T13:32:02.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-09-25T01:15:40.180", "references": [{"source": "report@snyk.io", "url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345"}, {"source": "report@snyk.io", "url": "https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-73"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}