CVE-2024-3774 - Vulnerability Details - OpenCVE

aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00102.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Aenrich	A\+hrd

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-32346	aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.

Fixes

Solution

Update to eHRD to 6.8.1039V1055 or later version Update to eHRD to 7.0.1141V422 or later version Update to eHRD to 7.1.1033V429 or later version Update to eHRD to 7.2.1061V36 or later version

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-7724-c28d3-1.html

History

Mon, 14 Oct 2024 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Mon, 14 Oct 2024 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aenrich Aenrich a\+hrd
CPEs		cpe:2.3:a:aenrich:a\+hrd::::::::
Vendors & Products		Aenrich Aenrich a\+hrd
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Oct 2024 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306 CWE-497

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-04-15T02:14:39.724Z

Updated: 2024-10-18T15:44:24.362Z

Reserved: 2024-04-15T01:56:13.197Z

Link: CVE-2024-3774

Vulnrichment

Updated: 2024-08-01T20:20:01.828Z

NVD

Status : Awaiting Analysis

Published: 2024-04-15T03:16:08.197

Modified: 2024-11-21T09:30:22.263

Link: CVE-2024-3774

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3774", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-04-15T01:56:13.197Z", "datePublished": "2024-04-15T02:14:39.724Z", "dateUpdated": "2024-10-18T15:44:24.362Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "a+HRD", "vendor": "aEnrich Technology", "versions": [{"status": "affected", "version": "6.8"}, {"lessThanOrEqual": "7.2", "status": "affected", "version": "7.0", "versionType": "custom"}]}], "datePublic": "2024-04-15T02:12:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values."}], "value": "aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-10-14T06:15:36.057Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7724-c28d3-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 6.8.1039V1055 or later version<br>Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 7.0.1141V422 or later version<br>Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 7.1.1033V429 or later version <br>Update<span style=\"background-color: rgb(255, 255, 255);\"> to</span>\n\n eHRD to 7.2.1061V36 or later version"}], "value": "Update\nto\n\n eHRD to 6.8.1039V1055 or later version\nUpdate\nto\n\n eHRD to 7.0.1141V422 or later version\nUpdate\nto\n\n eHRD to 7.1.1033V429 or later version \nUpdate\u00a0to\n\n eHRD to 7.2.1061V36 or later version"}], "source": {"advisory": "TVN-202404001", "discovery": "EXTERNAL"}, "title": "aEnrich Technology a+HRD - Exposure of Sensitive Data", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7724-c28d3-1.html"}]}, {"affected": [{"vendor": "aenrich", "product": "a\\+hrd", "cpes": ["cpe:2.3:a:aenrich:a\\+hrd:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.8", "status": "affected"}, {"version": "7.0", "status": "affected", "lessThanOrEqual": "7.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T15:19:48.388986Z", "id": "CVE-2024-3774", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T15:44:24.362Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7724-c28d3-1.html", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3774", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-07T15:19:48.388986Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:aenrich:a\\+hrd:*:*:*:*:*:*:*:*"], "vendor": "aenrich", "product": "a\\+hrd", "versions": [{"status": "affected", "version": "6.8"}, {"status": "affected", "version": "7.0", "versionType": "custom", "lessThanOrEqual": "7.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T17:51:58.747Z"}}], "cna": {"title": "aEnrich Technology a+HRD - Exposure of Sensitive Data", "source": {"advisory": "TVN-202404001", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "aEnrich Technology", "product": "a+HRD", "versions": [{"status": "affected", "version": "6.8"}, {"status": "affected", "version": "7.0", "versionType": "custom", "lessThanOrEqual": "7.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update\nto\n\n eHRD to 6.8.1039V1055 or later version\nUpdate\nto\n\n eHRD to 7.0.1141V422 or later version\nUpdate\nto\n\n eHRD to 7.1.1033V429 or later version \nUpdate\u00a0to\n\n eHRD to 7.2.1061V36 or later version", "supportingMedia": [{"type": "text/html", "value": "Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 6.8.1039V1055 or later version<br>Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 7.0.1141V422 or later version<br>Update\n<span style=\"background-color: rgb(255, 255, 255);\">to</span>\n\n eHRD to 7.1.1033V429 or later version <br>Update<span style=\"background-color: rgb(255, 255, 255);\"> to</span>\n\n eHRD to 7.2.1061V36 or later version", "base64": false}]}], "datePublic": "2024-04-15T02:12:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7724-c28d3-1.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.", "supportingMedia": [{"type": "text/html", "value": "aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-10-14T06:15:36.057Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3774", "state": "PUBLISHED", "dateUpdated": "2024-10-18T15:44:24.362Z", "dateReserved": "2024-04-15T01:56:13.197Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-04-15T02:14:39.724Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}