CVE-2024-3046

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3046

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3046.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3046

Aliases

GHSA-frc2-w2cc-x794

Published

2024-04-09T10:15:08Z

Modified

2025-02-07T02:54:09Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]

References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188

Affected packages

Git / github.com/eclipse/kura

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/kura
Events: Introduced

d78e70cff2404e292cb9876344d171273966a66c

Last affected

d452c0336a01d59509f57cc98124edbb25563cbf