Insufficient Safeguards Against Malicious API Response Values Allows Arbitrary File Read
CVE-2024-21545
Key Information:
- Vendor
Proxmox
- Vendor
- CVE Published:
- 25 September 2024
Badges
What is CVE-2024-21545?
The Proxmox Virtual Environment, an open-source platform designed for enterprise virtualization, is prone to an arbitrary file read vulnerability due to insufficient safeguards against malicious API response values. This vulnerability permits authenticated users with 'Sys.Audit' or 'VM.Monitor' privileges to exploit the API, allowing them to download local files from the host. Specifically, the flaw arises within the handle_api2_request function, which inadequately validates request handler responses before returning them. By manipulating request objects, attackers have the potential to control the response object sufficiently, leading to unauthorized access to sensitive files. This vulnerability can result in serious security implications, including unauthorized disclosure of sensitive information and the possibility of session forgery, raising significant concerns about the overall integrity of the system.
Affected Version(s)
libpve-common-perl (Promox Mail Gateway 8) 0 < 8.2.5
libpve-common-perl (Promox VE 8) 0 < 8.2.3
libpve-http-server-perl 3.2-1 < 4.3.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved