CVE-2024-3046

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]

En el componente Eclipse Kura LogServlet incluido en las versiones 5.0.0 a 5.4.1, una solicitud manipulada específicamente al servlet puede permitir que un usuario no autenticado recupere los registros del dispositivo. Además, un atacante puede utilizar los registros descargados para realizar una escalada de privilegios utilizando la identificación de sesión de un usuario autenticado informado en los registros. Este problema afecta al rango de versiones org.eclipse.kura:org.eclipse.kura.web2 [2.0.600, 2.4.0], que se incluye en el rango de versiones de Eclipse Kura [5.0.0, 5.4.1].

*Credits: Davide Virruso of Yoroi

CVSS Scores

Eclipse Foundationv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-03-28 CVE Reserved
2024-04-09 CVE Published
2024-04-10 EPSS Updated
2024-08-22 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-303: Incorrect Implementation of Authentication Algorithm

CAPEC

References (1)

URL	Tag	Source
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Foundation Search vendor "Eclipse Foundation"		Kura Search vendor "Eclipse Foundation" for product "Kura"				>= 5.0.0 <= 5.4.1 Search vendor "Eclipse Foundation" for product "Kura" and version " >= 5.0.0 <= 5.4.1"		en		Affected