CVE-2024-39324 - OpenCVE

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Aimeos	Ai-admin-graphql

Configuration 1 [-]

OR	cpe:2.3:a:aimeos:ai-admin-graphql::::::::
	cpe:2.3:a:aimeos:ai-admin-graphql::::::::
	cpe:2.3:a:aimeos:ai-admin-graphql:2024.04.1:::::::*

No data.

References

Link	Providers
https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38
https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038
https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac
https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3
https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf

History

Tue, 15 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aimeos Aimeos ai-admin-graphql
CPEs		cpe:2.3:a:aimeos:ai-admin-graphql:::::::: cpe:2.3:a:aimeos:ai-admin-graphql:2024.04.1:::::::*
Vendors & Products		Aimeos Aimeos ai-admin-graphql

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-02T20:09:22.872Z

Updated: 2024-08-02T04:19:20.752Z

Reserved: 2024-06-21T18:15:22.263Z

Link: CVE-2024-39324

Vulnrichment

Updated: 2024-07-09T15:21:08.575Z

NVD

Status : Analyzed

Published: 2024-07-02T21:15:11.213

Modified: 2024-10-15T15:09:13.847

Link: CVE-2024-39324

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39324", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.263Z", "datePublished": "2024-07-02T20:09:22.872Z", "dateUpdated": "2024-08-02T04:19:20.752Z"}, "containers": {"cna": {"title": "aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services", "problemTypes": [{"descriptions": [{"cweId": "CWE-1220", "lang": "en", "description": "CWE-1220: Insufficient Granularity of Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38", "tags": ["x_refsource_MISC"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038", "tags": ["x_refsource_MISC"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac", "tags": ["x_refsource_MISC"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"}], "affected": [{"vendor": "aimeos", "product": "ai-admin-graphql", "versions": [{"version": ">= 2022.04.1, < 2022.10.10", "status": "affected"}, {"version": ">= 2023.04.1, < 2023.10.6", "status": "affected"}, {"version": "= 2024.04.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-02T20:09:22.872Z"}, "descriptions": [{"lang": "en", "value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"}], "source": {"advisory": "GHSA-jj68-cp4v-98qf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:21:05.566787Z", "id": "CVE-2024-39324", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:21:12.520Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.752Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"}, {"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T15:21:05.566787Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:21:08.575Z"}}], "cna": {"title": "aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services", "source": {"advisory": "GHSA-jj68-cp4v-98qf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "aimeos", "product": "ai-admin-graphql", "versions": [{"status": "affected", "version": ">= 2022.04.1, < 2022.10.10"}, {"status": "affected", "version": ">= 2023.04.1, < 2023.10.6"}, {"status": "affected", "version": "= 2024.04.1"}]}], "references": [{"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf", "name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38", "name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038", "name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac", "name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3", "name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1220", "description": "CWE-1220: Insufficient Granularity of Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-02T20:09:22.872Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39324", "state": "PUBLISHED", "dateUpdated": "2024-07-09T15:21:12.520Z", "dateReserved": "2024-06-21T18:15:22.263Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-02T20:09:22.872Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCCBEC57-5E51-404A-A93E-F04C20753EE8", "versionEndExcluding": "2022.10.10", "versionStartIncluding": "2022.04.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "342DA783-3693-4F4A-9338-A419FB2BD435", "versionEndExcluding": "2023.10.6", "versionStartIncluding": "2023.04.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:aimeos:ai-admin-graphql:2024.04.1:*:*:*:*:*:*:*", "matchCriteriaId": "1942C6DA-0B87-45DD-BDEE-1C68C33BCC1A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"}, {"lang": "es", "value": "aimeos/ai-admin-graphql es la interfaz de administraci\u00f3n de la API Aimeos GraphQL. A partir de la versi\u00f3n 2022.04.1 y antes de las versiones 2022.10.10, 2023.10.6 y 2024.4.2, el control de acceso inadecuado permite a los editores administrar sus propios servicios a trav\u00e9s de la API GraphQL, lo cual no est\u00e1 permitido en la interfaz JQAdm. Las versiones 2022.10.10, 2023.10.6 y 2024.4.2 contienen un parche para el problema."}], "id": "CVE-2024-39324", "lastModified": "2024-10-15T15:09:13.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-02T21:15:11.213", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1220"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}