CVE-2024-9802

The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zowe/api-layer	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:api_mediation_layer:*:*:*:*:*:*:*:*

History

25 Nov 2024, 17:56

Type	Values Removed	Values Added
References	~~() https://github.com/zowe/api-layer -~~	() https://github.com/zowe/api-layer - Product
First Time		Linuxfoundation Linuxfoundation api Mediation Layer
CPE		cpe:2.3:a:linuxfoundation:api_mediation_layer::::::::

10 Oct 2024, 15:35

Type	Values Removed	Values Added
CWE		CWE-312

10 Oct 2024, 12:51

Type	Values Removed	Values Added
Summary		(es) El endpoint de validación de conformidad es público, por lo que todos pueden verificar la conformidad de los servicios incorporados. La respuesta podría contener información específica sobre el servicio, incluidos los endpoints disponibles y swagger. Podría informar a un atacante sobre la versión en ejecución de un servicio. El atacante también podría verificar si un servicio está en ejecución.

10 Oct 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-10 08:15

Updated : 2024-11-25 17:56

NVD link : CVE-2024-9802

Mitre link : CVE-2024-9802

CVE.ORG link : CVE-2024-9802

JSON object : View

Products Affected

linuxfoundation

api_mediation_layer

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2024-9802", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "zowe-security@lists.openmainframeproject.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-10-10T08:15:04.387", "references": [{"url": "https://github.com/zowe/api-layer", "tags": ["Product"], "source": "zowe-security@lists.openmainframeproject.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running."}, {"lang": "es", "value": "El endpoint de validaci\u00f3n de conformidad es p\u00fablico, por lo que todos pueden verificar la conformidad de los servicios incorporados. La respuesta podr\u00eda contener informaci\u00f3n espec\u00edfica sobre el servicio, incluidos los endpoints disponibles y swagger. Podr\u00eda informar a un atacante sobre la versi\u00f3n en ejecuci\u00f3n de un servicio. El atacante tambi\u00e9n podr\u00eda verificar si un servicio est\u00e1 en ejecuci\u00f3n."}], "lastModified": "2024-11-25T17:56:58.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:api_mediation_layer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9968ABF2-0BD5-41D7-AA9A-66FD32E21C6D", "versionEndExcluding": "2.17.0", "versionStartIncluding": "2.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "zowe-security@lists.openmainframeproject.org"}