{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7265", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-07-30T08:43:01.420Z", "datePublished": "2024-08-07T10:58:25.223Z", "dateUpdated": "2024-08-08T14:37:20.227Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EZD RP", "vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy", "versions": [{"lessThan": "15.84", "status": "affected", "version": "15", "versionType": "custom"}, {"lessThan": "16.15", "status": "affected", "version": "16", "versionType": "custom"}, {"lessThan": "17.2", "status": "affected", "version": "17", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub P\u0142atek (NASK-PIB)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.&nbsp;<p>This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.</p>"}], "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-286", "description": "CWE-286 Incorrect User Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-08-07T10:58:25.223Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/08/CVE-2023-7265/"}, {"tags": ["product"], "url": "https://www.gov.pl/web/ezd-rp"}], "source": {"discovery": "UNKNOWN"}, "title": "Privilege Escalation in EZD RP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "nask-pib", "product": "ezd_rp", "cpes": ["cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "15", "status": "affected", "lessThan": "15.84", "versionType": "custom"}, {"version": "16", "status": "affected", "lessThan": "16.15", "versionType": "custom"}, {"version": "17", "status": "affected", "lessThan": "17.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T13:13:17.569299Z", "id": "CVE-2024-7265", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T14:37:20.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Privilege Escalation in EZD RP", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jakub P\u0142atek (NASK-PIB)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy", "product": "EZD RP", "versions": [{"status": "affected", "version": "15", "lessThan": "15.84", "versionType": "custom"}, {"status": "affected", "version": "16", "lessThan": "16.15", "versionType": "custom"}, {"status": "affected", "version": "17", "lessThan": "17.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/08/CVE-2023-7265/", "tags": ["third-party-advisory"]}, {"url": "https://www.gov.pl/web/ezd-rp", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.", "supportingMedia": [{"type": "text/html", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.&nbsp;<p>This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-286", "description": "CWE-286 Incorrect User Management"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-08-07T10:58:25.223Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7265", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-07T13:13:17.569299Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"], "vendor": "nask-pib", "product": "ezd_rp", "versions": [{"status": "affected", "version": "15", "lessThan": "15.84", "versionType": "custom"}, {"status": "affected", "version": "16", "lessThan": "16.15", "versionType": "custom"}, {"status": "affected", "version": "17", "lessThan": "17.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-08-08T14:37:01.184Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-7265", "state": "PUBLISHED", "dateUpdated": "2024-08-07T10:58:25.223Z", "dateReserved": "2024-07-30T08:43:01.420Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-08-07T10:58:25.223Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B43D39E4-75AE-42D6-B206-A70B3CB9B538", "versionEndExcluding": "15.84", "versionStartIncluding": "15", "vulnerable": true}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C255177-BEAE-4B88-869C-57EBD3466ADD", "versionEndExcluding": "16.15", "versionStartIncluding": "16", "vulnerable": true}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "50DE01F5-72FE-4ECC-B117-3B4D5E15901C", "versionEndExcluding": "17.2", "versionStartIncluding": "17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."}, {"lang": "es", "value": "La vulnerabilidad de administraci\u00f3n incorrecta de usuarios en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite que un usuario conectado cambie la contrase\u00f1a de cualquier usuario, incluido el usuario root, lo que podr\u00eda provocar una escalada de privilegios. Este problema afecta a EZD RP: desde la versi\u00f3n 15 hasta la 15.84, desde la versi\u00f3n 16 hasta la 16.15, desde la versi\u00f3n 17 hasta la 17.2."}], "id": "CVE-2024-7265", "lastModified": "2024-08-23T15:09:29.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2024-08-07T11:15:45.757", "references": [{"source": "cvd@cert.pl", "tags": ["Broken Link"], "url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/"}, {"source": "cvd@cert.pl", "tags": ["Broken Link"], "url": "https://cert.pl/posts/2024/08/CVE-2023-7265/"}, {"source": "cvd@cert.pl", "tags": ["Product"], "url": "https://www.gov.pl/web/ezd-rp"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-286"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}