CVE-2024-24562

Security headers not set in vantage6-UI

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While an upgrade path is not available users may modify the docker image build to insert the headers into nginx.

vantage6-UI es la interfaz de usuario oficial para el servidor vantage6. En las versiones afectadas, no se establecen varios encabezados de seguridad. Este problema se solucionó en el commit `68dfa6614`, que se espera que se incluya en futuras versiones. Se recomienda a los usuarios que actualicen cuando se realice una nueva versión. Si bien no hay una ruta de actualización disponible, los usuarios pueden modificar la compilación de la imagen de la ventana acoplable para insertar los encabezados en nginx.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-25 CVE Reserved
2024-03-14 CVE Published
2024-03-15 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-668: Exposure of Resource to Wrong Sphere
CWE-693: Protection Mechanism Failure

CAPEC

References (2)

URL	Tag	Source
https://github.com/vantage6/vantage6-UI/commit/68dfa661415182da0e5717bd58db3d00aedcbd2e	X_refsource_misc
https://github.com/vantage6/vantage6-UI/security/advisories/GHSA-gwq3-pvwq-4c9w	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vantage6 Search vendor "Vantage6"		Vantage6-UI Search vendor "Vantage6" for product "Vantage6-UI"				<= 4.2.0 Search vendor "Vantage6" for product "Vantage6-UI" and version " <= 4.2.0"		en		Affected