OpenCVE

An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Avaya	Aura System Manager

Configuration 1 [-]

OR	cpe:2.3:a:avaya:aura_system_manager::::::::
	cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*

No data.

References

Link	Providers
https://download.avaya.com/css/public/documents/101091159

History

Wed, 11 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Avaya Avaya aura System Manager
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:avaya:aura_system_manager:::::::: cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*
Vendors & Products		Avaya Avaya aura System Manager

Thu, 08 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Aug 2024 16:15:00 +0000

Type	Values Removed	Values Added
Description		An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.
Title		Improper access control in Avaya Aura System Manager
Weaknesses		CWE-269
References		https://download.avaya.com/css/public/documents/101091159
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2024-08-08T16:04:25.989Z

Updated: 2024-08-08T18:40:15.191Z

Reserved: 2024-08-05T08:33:54.944Z

Link: CVE-2024-7480

Vulnrichment

Updated: 2024-08-08T18:38:07.162Z

NVD

Status : Analyzed

Published: 2024-08-08T16:15:09.567

Modified: 2024-09-11T15:03:37.293

Link: CVE-2024-7480

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7480", "assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "state": "PUBLISHED", "assignerShortName": "avaya", "dateReserved": "2024-08-05T08:33:54.944Z", "datePublished": "2024-08-08T16:04:25.989Z", "dateUpdated": "2024-08-08T18:40:15.191Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Aura System Manager", "vendor": "Avaya", "versions": [{"status": "affected", "version": "10.1.x.x"}, {"status": "affected", "version": "10.2.x.x"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}], "value": "An\u00a0Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system.\u00a0Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya", "dateUpdated": "2024-08-08T16:04:25.989Z"}, "references": [{"url": "https://download.avaya.com/css/public/documents/101091159"}], "source": {"defect": ["ZEPHYR-70310"], "discovery": "EXTERNAL"}, "title": "Improper access control in Avaya Aura System Manager", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-08T18:37:59.919717Z", "id": "CVE-2024-7480", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T18:40:15.191Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7480", "assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "state": "PUBLISHED", "assignerShortName": "avaya", "dateReserved": "2024-08-05T08:33:54.944Z", "datePublished": "2024-08-08T16:04:25.989Z", "dateUpdated": "2024-08-08T18:40:15.191Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Aura System Manager", "vendor": "Avaya", "versions": [{"status": "affected", "version": "10.1.x.x"}, {"status": "affected", "version": "10.2.x.x"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}], "value": "An\u00a0Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system.\u00a0Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya", "dateUpdated": "2024-08-08T16:04:25.989Z"}, "references": [{"url": "https://download.avaya.com/css/public/documents/101091159"}], "source": {"defect": ["ZEPHYR-70310"], "discovery": "EXTERNAL"}, "title": "Improper access control in Avaya Aura System Manager", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7480", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-08T18:37:59.919717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T18:38:07.162Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "263DE525-434E-48C3-A891-8CF42C0AEBC8", "versionEndIncluding": "10.1.2", "versionStartIncluding": "10.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:aura_system_manager:10.2:*:*:*:*:*:*:*", "matchCriteriaId": "2D5372F1-A670-44CD-B834-A3126F83F9D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An\u00a0Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system.\u00a0Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de control de acceso inadecuado en Avaya Aura System Manager que podr\u00eda permitir a un usuario de interfaz de l\u00ednea de comandos (CLI) con privilegios administrativos leer archivos arbitrarios en el sistema. Las versiones afectadas incluyen 10.1.xx y 10.2.xx. Las versiones anteriores a 10.1 finalizan el soporte del fabricante."}], "id": "CVE-2024-7480", "lastModified": "2024-09-11T15:03:37.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2024-08-08T16:15:09.567", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://download.avaya.com/css/public/documents/101091159"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}