OpenCVE

The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Linuxfoundation	Api Mediation Layer Zowe Api Mediation Layer

Configuration 1 [-]

OR	cpe:2.3:a:linuxfoundation:api_mediation_layer::::::::
	cpe:2.3:a:linuxfoundation:api_mediation_layer::::::::

No data.

References

Link	Providers
https://github.com/zowe/api-layer

History

Mon, 25 Nov 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation api Mediation Layer
CPEs		cpe:2.3:a:linuxfoundation:api_mediation_layer::::::::
Vendors & Products		Linuxfoundation api Mediation Layer

Thu, 10 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation zowe Api Mediation Layer
Weaknesses		CWE-312
CPEs		cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer::::::::
Vendors & Products		Linuxfoundation Linuxfoundation zowe Api Mediation Layer
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 10 Oct 2024 07:45:00 +0000

Type	Values Removed	Values Added
Description		The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.
Title		Health endpoint offers list of onboarded services to unauthenticated users
References		https://github.com/zowe/api-layer
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:T/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H'}`

MITRE

Status: PUBLISHED

Assigner: Zowe

Published: 2024-10-10T07:29:10.066Z

Updated: 2024-10-10T14:21:58.664Z

Reserved: 2024-10-10T07:29:09.962Z

Link: CVE-2024-9798

Vulnrichment

Updated: 2024-10-10T14:21:51.411Z

NVD

Status : Analyzed

Published: 2024-10-10T08:15:04.207

Modified: 2024-11-25T18:00:47.637

Link: CVE-2024-9798

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9798", "assignerOrgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "state": "PUBLISHED", "assignerShortName": "Zowe", "dateReserved": "2024-10-10T07:29:09.962Z", "datePublished": "2024-10-10T07:29:10.066Z", "dateUpdated": "2024-10-10T14:21:58.664Z"}, "containers": {"cna": {"title": "Health endpoint offers list of onboarded services to unauthenticated users", "affected": [{"vendor": "Open Mainframe Project", "product": "Zowe", "versions": [{"version": "2.0.0", "status": "affected", "lessThan": "2.18.0", "versionType": "semver"}, {"version": "1.0.0", "status": "affected", "lessThan": "1.28.8", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:T/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H"}}], "solutions": [{"lang": "en", "value": "In version 2.18.0 set configuration property `apiml.health.protected` to `true` to require authentication or upgrade to version 3."}], "workarounds": [{"lang": "en", "value": "No workaround is available."}], "exploits": [{"lang": "en", "value": "There are no known exploits of this issue however exploits targeting this issue are publicly available."}], "credits": [{"lang": "en", "value": "Pablo Hernan Carle", "type": "finder"}, {"lang": "en", "value": "Pavel Jare\u0161", "type": "finder"}], "providerMetadata": {"orgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "shortName": "Zowe", "dateUpdated": "2024-10-10T07:29:10.066Z"}, "references": [{"tags": ["product"], "url": "https://github.com/zowe/api-layer"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-312", "lang": "en", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "affected": [{"vendor": "linuxfoundation", "product": "zowe_api_mediation_layer", "cpes": ["cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0.0", "status": "affected", "lessThan": "2.18.0", "versionType": "semver"}, {"version": "1.0.0", "status": "affected", "lessThan": "1.28.8", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-10T14:16:37.423471Z", "id": "CVE-2024-9798", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T14:21:58.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9798", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-10T14:16:37.423471Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer:*:*:*:*:*:*:*:*"], "vendor": "linuxfoundation", "product": "zowe_api_mediation_layer", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.18.0", "versionType": "semver"}, {"status": "affected", "version": "1.0.0", "lessThan": "1.28.8", "versionType": "semver"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T14:21:51.411Z"}}], "cna": {"title": "Health endpoint offers list of onboarded services to unauthenticated users", "credits": [{"lang": "en", "type": "finder", "value": "Pablo Hernan Carle"}, {"lang": "en", "type": "finder", "value": "Pavel Jare\u0161"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:T/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open Mainframe Project", "product": "Zowe", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.18.0", "versionType": "semver"}, {"status": "affected", "version": "1.0.0", "lessThan": "1.28.8", "versionType": "semver"}]}], "exploits": [{"lang": "en", "value": "There are no known exploits of this issue however exploits targeting this issue are publicly available."}], "solutions": [{"lang": "en", "value": "In version 2.18.0 set configuration property `apiml.health.protected` to `true` to require authentication or upgrade to version 3."}], "references": [{"url": "https://github.com/zowe/api-layer", "tags": ["product"]}], "workarounds": [{"lang": "en", "value": "No workaround is available."}], "descriptions": [{"lang": "en", "value": "The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers."}], "providerMetadata": {"orgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "shortName": "Zowe", "dateUpdated": "2024-10-10T07:29:10.066Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9798", "state": "PUBLISHED", "dateUpdated": "2024-10-10T14:21:58.664Z", "dateReserved": "2024-10-10T07:29:09.962Z", "assignerOrgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "datePublished": "2024-10-10T07:29:10.066Z", "assignerShortName": "Zowe"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:api_mediation_layer:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B9B17C8-D7CB-4E68-8FCB-DB748815328C", "versionEndExcluding": "1.28.8", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:api_mediation_layer:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE047C55-2406-49E6-A84D-29FC747A3C2B", "versionEndExcluding": "2.18.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers."}, {"lang": "es", "value": "El endpoint de salud es p\u00fablico, por lo que todos pueden ver una lista de todos los servicios. Es informaci\u00f3n potencialmente valiosa para los atacantes."}], "id": "CVE-2024-9798", "lastModified": "2024-11-25T18:00:47.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "zowe-security@lists.openmainframeproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-10T08:15:04.207", "references": [{"source": "zowe-security@lists.openmainframeproject.org", "tags": ["Product"], "url": "https://github.com/zowe/api-layer"}], "sourceIdentifier": "zowe-security@lists.openmainframeproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}