CVE-2024-3270 - OpenCVE

A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:M/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link
https://vuldb.com/?ctiid.259282
https://vuldb.com/?id.259282
https://vuldb.com/?submit.301359

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-04-03T23:00:06.494Z

Updated: 2024-08-27T13:27:22.349Z

Reserved: 2024-04-03T18:13:44.579Z

Link: CVE-2024-3270

Vulnrichment

Updated: 2024-08-01T20:05:08.291Z

NVD

Status : Awaiting Analysis

Published: 2024-04-03T23:15:13.650

Modified: 2024-05-17T02:39:49.333

Link: CVE-2024-3270

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3270", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-04-03T18:13:44.579Z", "datePublished": "2024-04-03T23:00:06.494Z", "dateUpdated": "2024-08-27T13:27:22.349Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-03T23:00:06.494Z"}, "title": "ThingsBoard AdvancedFeature access control", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Controls"}]}], "affected": [{"vendor": "n/a", "product": "ThingsBoard", "versions": [{"version": "3.6.0", "status": "affected"}, {"version": "3.6.1", "status": "affected"}, {"version": "3.6.2", "status": "affected"}], "modules": ["AdvancedFeature"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7."}, {"lang": "de", "value": "In ThingsBoard bis 3.6.2 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Komponente AdvancedFeature. Dank Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.7, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:P"}}], "timeline": [{"time": "2024-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-04-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-04-03T20:19:15.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "sickuritywizard (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.259282", "name": "VDB-259282 | ThingsBoard AdvancedFeature access control", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.259282", "name": "VDB-259282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.301359", "name": "Submit #301359 | Thingsboard Thingsboard 3.6.2 Arbitrary File Write", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link", "tags": ["exploit"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.291Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.259282", "name": "VDB-259282 | ThingsBoard AdvancedFeature access control", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.259282", "name": "VDB-259282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.301359", "name": "Submit #301359 | Thingsboard Thingsboard 3.6.2 Arbitrary File Write", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link", "tags": ["exploit", "x_transferred"]}]}, {"affected": [{"vendor": "thingsboard", "product": "thingsboard", "cpes": ["cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-04T15:16:26.309975Z", "id": "CVE-2024-3270", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T13:27:22.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.259282", "name": "VDB-259282 | ThingsBoard AdvancedFeature access control", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.259282", "name": "VDB-259282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.301359", "name": "Submit #301359 | Thingsboard Thingsboard 3.6.2 Arbitrary File Write", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link", "tags": ["exploit", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.291Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3270", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-04T15:16:26.309975Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:*"], "vendor": "thingsboard", "product": "thingsboard", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.6.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T13:26:35.875Z"}}], "cna": {"title": "ThingsBoard AdvancedFeature access control", "credits": [{"lang": "en", "type": "reporter", "value": "sickuritywizard (VulDB User)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.8, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.8, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.7, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:P"}}], "affected": [{"vendor": "n/a", "modules": ["AdvancedFeature"], "product": "ThingsBoard", "versions": [{"status": "affected", "version": "3.6.0"}, {"status": "affected", "version": "3.6.1"}, {"status": "affected", "version": "3.6.2"}]}], "timeline": [{"lang": "en", "time": "2024-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-04-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-04-03T20:19:15.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.259282", "name": "VDB-259282 | ThingsBoard AdvancedFeature access control", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.259282", "name": "VDB-259282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.301359", "name": "Submit #301359 | Thingsboard Thingsboard 3.6.2 Arbitrary File Write", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7."}, {"lang": "de", "value": "In ThingsBoard bis 3.6.2 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Komponente AdvancedFeature. Dank Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-03T23:00:06.494Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3270", "state": "PUBLISHED", "dateUpdated": "2024-08-27T13:27:22.349Z", "dateReserved": "2024-04-03T18:13:44.579Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-04-03T23:00:06.494Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en ThingsBoard hasta 3.6.2 y ha sido clasificada como problem\u00e1tica. Esta vulnerabilidad afecta a c\u00f3digo desconocido del componente AdvancedFeature. La manipulaci\u00f3n conduce a controles de acceso inadecuados. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-259282 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n y respondi\u00f3 que planeaba solucionar este problema en la versi\u00f3n 3.7."}], "id": "CVE-2024-3270", "lastModified": "2024-05-17T02:39:49.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 4.7, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-04-03T23:15:13.650", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/1w9iSMpyKDuapH9wjsgTe8AYPn8Z30u2Z/view?usp=drive_link"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.259282"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.259282"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.301359"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}