{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21667", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.368Z", "datePublished": "2024-01-11T01:05:35.979Z", "dateUpdated": "2024-08-01T22:27:36.094Z"}, "containers": {"cna": {"title": "Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4"}, {"name": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77"}, {"name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38"}], "affected": [{"vendor": "pimcore", "product": "customer-data-framework", "versions": [{"version": "< 4.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-11T01:05:35.979Z"}, "descriptions": [{"lang": "en", "value": "pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.\n"}], "source": {"advisory": "GHSA-g273-wppx-82w4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.094Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4"}, {"name": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77"}, {"name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:customer_management_framework:*:*:*:*:*:pimcore:*:*", "matchCriteriaId": "09473711-86C6-485C-B865-015EEF9172BE", "versionEndExcluding": "4.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.\n"}, {"lang": "es", "value": "pimcore/customer-data-framework es el Customer Management Framework para la gesti\u00f3n de datos de clientes dentro de Pimcore. Un usuario autenticado y no autorizado puede acceder a la funci\u00f3n de extracci\u00f3n de datos del RGPD y consultar la informaci\u00f3n devuelta, lo que lleva a la exposici\u00f3n de los datos del cliente. Los permisos no se aplican al llegar al endpoint `/admin/customermanagementframework/gdpr-data/search-data-objects`, lo que permite a un usuario autenticado sin permisos acceder al endpoint y consultar los datos disponibles all\u00ed. Un usuario no autorizado puede acceder a los datos PII de los clientes. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 4.0.6."}], "id": "CVE-2024-21667", "lastModified": "2024-01-18T13:12:45.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-11T01:15:45.810", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}