CVE-2024-36457 - OpenCVE

The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678

History

Tue, 12 Nov 2024 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2024-07-15T13:39:19.248Z

Updated: 2024-11-12T18:12:40.781Z

Reserved: 2024-05-28T10:24:37.077Z

Link: CVE-2024-36457

Vulnrichment

Updated: 2024-08-02T03:37:05.380Z

NVD

Status : Awaiting Analysis

Published: 2024-07-15T14:15:02.917

Modified: 2024-11-12T19:35:08.833

Link: CVE-2024-36457

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36457", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "state": "PUBLISHED", "assignerShortName": "symantec", "dateReserved": "2024-05-28T10:24:37.077Z", "datePublished": "2024-07-15T13:39:19.248Z", "dateUpdated": "2024-11-12T18:12:40.781Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Symantec Privileged Access Management", "vendor": "Broadcom", "versions": [{"status": "affected", "version": "4.1.0 - 4.1.7"}, {"status": "affected", "version": "3.4.6"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abdel Adim `smaury` Oisfi of Shielder (https://www.shielder.com) - research@shielder.com"}, {"lang": "en", "type": "finder", "value": "Paolo Cavagli\u00e0 of Shielder (https://www.shielder.com) - research@shielder.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.</span>\n\n"}], "value": "The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2024-07-15T13:39:19.248Z"}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678"}], "source": {"discovery": "UNKNOWN"}, "title": "Symantec Privileged Access Manager Authentication Bypass vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T18:11:12.488440Z", "id": "CVE-2024-36457", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T18:12:40.781Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.380Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.380Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-15T18:11:12.488440Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T18:11:15.980Z"}}], "cna": {"title": "Symantec Privileged Access Manager Authentication Bypass vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Abdel Adim `smaury` Oisfi of Shielder (https://www.shielder.com) - research@shielder.com"}, {"lang": "en", "type": "finder", "value": "Paolo Cavagli\u00e0 of Shielder (https://www.shielder.com) - research@shielder.com"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Broadcom", "product": "Symantec Privileged Access Management", "versions": [{"status": "affected", "version": "4.1.0 - 4.1.7"}, {"status": "affected", "version": "3.4.6"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.</span>\n\n", "base64": false}]}], "providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2024-07-15T13:39:19.248Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36457", "state": "PUBLISHED", "dateUpdated": "2024-11-12T18:12:40.781Z", "dateReserved": "2024-05-28T10:24:37.077Z", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "datePublished": "2024-07-15T13:39:19.248Z", "assignerShortName": "symantec"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint."}, {"lang": "es", "value": "La vulnerabilidad permite a un atacante eludir los requisitos de autenticaci\u00f3n para un endpoint PAM espec\u00edfico."}], "id": "CVE-2024-36457", "lastModified": "2024-11-12T19:35:08.833", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "LOW"}, "source": "secure@symantec.com", "type": "Secondary"}]}, "published": "2024-07-15T14:15:02.917", "references": [{"source": "secure@symantec.com", "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}