CVE-2024-26291

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-26291
An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
CVSS

No CVSS.

References
Link Resource
https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html
https://resources.avid.com/SupportFiles/attach/AvidNEXIS/AvidNEXIS_2025_5_1_ReadMe.pdf
Configurations

No configuration.

History

15 Jul 2025, 13:14

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de lectura arbitraria de archivos no autenticados afecta al Agente al instalarse en un sistema. El parámetro filename no valida la ruta, lo que permite a los usuarios leer archivos arbitrarios. Dado que la aplicación se ejecuta con los privilegios más altos (root/NT_AUTHORITY SYSTEM) por defecto, los atacantes pueden obtener información confidencial. Este problema afecta a Avid NEXIS serie E (anterior a 2025.5.1); Avid NEXIS serie F (anterior a 2025.5.1); Avid NEXIS PRO+ (anterior a 2025.5.1); System Director Appliance (SDA+): anterior a 2025.5.1.

14 Jul 2025, 10:15

Type Values Removed Values Added
Summary (en) The Application is vulnerable to an Unauthenticated Arbitrary File Read. This affects the Agent installed on Linux and Windows alike. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1. (en) An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

14 Jul 2025, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-14 09:15

Updated : 2025-07-15 13:14

NVD link : CVE-2024-26291

Mitre link : CVE-2024-26291

CVE.ORG link : CVE-2024-26291

JSON object : View

Products Affected

No product.

CWE
CWE-285

Improper Authorization