216.73.217.80

CVE-2024-21545

· Published 25/09/2024 01:15 · Modified 26/09/2024 13:32

Labels: CVE-2024-21545 2024-09-25CVE-2024-21545CWE-73[email protected]

Essential information

Published
25/09/2024 01:15
Modified
26/09/2024 13:32
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS metrics

Description

Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user. Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read. The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References