{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3046", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-03-28T15:55:27.026Z", "datePublished": "2024-04-09T10:02:39.146Z", "dateUpdated": "2024-08-22T19:59:23.361Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "org.eclipse.kura:org.eclipse.kura.web2", "product": "Kura", "repo": "https://github.com/eclipse/kura", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "5.4.1", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Davide Virruso of Yoroi"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.</div><div><br></div><div>This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]<br></div>"}], "value": "In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.\n\nThis issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-04-10T05:51:23.655Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.548Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "eclipse_foundation", "product": "kura", "cpes": ["cpe:2.3:a:eclipse_foundation:kura:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.0.0", "status": "affected", "lessThanOrEqual": "5.4.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-09T19:53:17.127730Z", "id": "CVE-2024-3046", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:59:23.361Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.548Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-09T19:53:17.127730Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:eclipse_foundation:kura:*:*:*:*:*:*:*:*"], "vendor": "eclipse_foundation", "product": "kura", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "custom", "lessThanOrEqual": "5.4.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:59:18.347Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Davide Virruso of Yoroi"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse/kura", "vendor": "Eclipse Foundation", "product": "Kura", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.4.1"}], "packageName": "org.eclipse.kura:org.eclipse.kura.web2", "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.\n\nThis issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.</div><div><br></div><div>This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm}"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-04-10T05:51:23.655Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3046", "state": "PUBLISHED", "dateUpdated": "2024-08-22T19:59:23.361Z", "dateReserved": "2024-03-28T15:55:27.026Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-04-09T10:02:39.146Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.\n\nThis issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]\n\n"}, {"lang": "es", "value": "En el componente Eclipse Kura LogServlet incluido en las versiones 5.0.0 a 5.4.1, una solicitud manipulada espec\u00edficamente al servlet puede permitir que un usuario no autenticado recupere los registros del dispositivo. Adem\u00e1s, un atacante puede utilizar los registros descargados para realizar una escalada de privilegios utilizando la identificaci\u00f3n de sesi\u00f3n de un usuario autenticado informado en los registros. Este problema afecta al rango de versiones org.eclipse.kura:org.eclipse.kura.web2 [2.0.600, 2.4.0], que se incluye en el rango de versiones de Eclipse Kura [5.0.0, 5.4.1]."}], "id": "CVE-2024-3046", "lastModified": "2024-04-10T06:15:07.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-04-09T10:15:08.600", "references": [{"source": "emo@eclipse.org", "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-303"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{}