CVE-2024-38462 - OpenCVE

iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Irods	Irods

Configuration 1 [-]

cpe:2.3:a:irods:irods:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106
https://github.com/irods/irods/issues/7562
https://github.com/irods/irods/issues/7651
https://irods.org/2024/05/irods-4-3-2-is-released/

History

Wed, 21 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-426

Wed, 07 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Irods Irods irods
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:irods:irods::::::::
Vendors & Products		Irods Irods irods
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-06-16T00:00:00

Updated: 2024-08-21T14:18:26.595Z

Reserved: 2024-06-16T00:00:00

Link: CVE-2024-38462

Vulnrichment

Updated: 2024-08-02T04:12:24.704Z

NVD

Status : Modified

Published: 2024-06-16T16:15:09.627

Modified: 2024-08-21T15:35:10.397

Link: CVE-2024-38462

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-38462", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-21T14:18:26.595Z", "dateReserved": "2024-06-16T00:00:00", "datePublished": "2024-06-16T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-16T15:17:11.014050"}, "descriptions": [{"lang": "en", "value": "iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/irods/irods/issues/7651"}, {"url": "https://github.com/irods/irods/issues/7562"}, {"url": "https://irods.org/2024/05/irods-4-3-2-is-released/"}, {"url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:24.704Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/irods/irods/issues/7651", "tags": ["x_transferred"]}, {"url": "https://github.com/irods/irods/issues/7562", "tags": ["x_transferred"]}, {"url": "https://irods.org/2024/05/irods-4-3-2-is-released/", "tags": ["x_transferred"]}, {"url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-426", "lang": "en", "description": "CWE-426 Untrusted Search Path"}]}], "affected": [{"vendor": "irods", "product": "irods", "cpes": ["cpe:2.3:a:irods:irods:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.3.2", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T13:52:29.130789Z", "id": "CVE-2024-38462", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:18:26.595Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/irods/irods/issues/7651", "tags": ["x_transferred"]}, {"url": "https://github.com/irods/irods/issues/7562", "tags": ["x_transferred"]}, {"url": "https://irods.org/2024/05/irods-4-3-2-is-released/", "tags": ["x_transferred"]}, {"url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:24.704Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-38462", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-21T13:52:29.130789Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:irods:irods:*:*:*:*:*:*:*:*"], "vendor": "irods", "product": "irods", "versions": [{"status": "affected", "version": "0", "lessThan": "4.3.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:18:20.325Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/irods/irods/issues/7651"}, {"url": "https://github.com/irods/irods/issues/7562"}, {"url": "https://irods.org/2024/05/irods-4-3-2-is-released/"}, {"url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106"}], "descriptions": [{"lang": "en", "value": "iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-16T15:17:11.014050"}}}, "cveMetadata": {"cveId": "CVE-2024-38462", "state": "PUBLISHED", "dateUpdated": "2024-08-21T14:18:26.595Z", "dateReserved": "2024-06-16T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-06-16T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:irods:irods:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B450EAB-6C4F-4515-8110-7716F5B2141B", "versionEndExcluding": "4.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference."}, {"lang": "es", "value": "iRODS anterior a 4.3.2 proporciona una funci\u00f3n msiSendMail con una dependencia problem\u00e1tica del binario de correo, como en la referencia mailMS.cpp#L94-L106."}], "id": "CVE-2024-38462", "lastModified": "2024-08-21T15:35:10.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-16T16:15:09.627", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/server/re/src/mailMS.cpp#L94-L106"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/irods/irods/issues/7562"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/irods/irods/issues/7651"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://irods.org/2024/05/irods-4-3-2-is-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-426"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}