GHSA-frc2-w2cc-x794

Suggest an improvement
Source
https://github.com/advisories/GHSA-frc2-w2cc-x794
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-frc2-w2cc-x794/GHSA-frc2-w2cc-x794.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-frc2-w2cc-x794
Aliases
  • CVE-2024-3046
Published
2024-04-09T12:30:47Z
Modified
2024-04-15T20:19:17Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Eclipse Kura LogServlet vulnerability
Details

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].

Database specific
{
    "nvd_published_at": "2024-04-09T10:15:08Z",
    "cwe_ids": [
        "CWE-303"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-09T18:53:17Z"
}
References

Affected packages

Maven / org.eclipse.kura:org.eclipse.kura.web2

Package

Name
org.eclipse.kura:org.eclipse.kura.web2
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.kura/org.eclipse.kura.web2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.600
Last affected
2.4.0