{"Unauthenticated User Can Retrieve Device Logs","Privilege Escalation via Logs"}
CVE-2024-3046

7.5HIGH

Key Information:

Vendor
Eclipse Foundation
Status
Kura
Vendor
CVE Published:
9 April 2024

Summary

The Eclipse Kura LogServlet component presents a vulnerability in versions ranging from 5.0.0 to 5.4.1, where an unauthenticated user can craft specific requests to access device logs. This unauthorized access to logs can potentially enable an attacker to escalate privileges by exploiting the session IDs of authenticated users contained within the logs. The affected package, org.eclipse.kura.web2, spans version numbers [2.0.600] to [2.4.0], which further highlights the scope of this vulnerability.

Affected Version(s)

Kura 5.0.0 <= 5.4.1

References

https://gitlab.eclipse.org/security/vulnerability-reports...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Davide Virruso of Yoroi
.
CVE-2024-3046 : {"Unauthenticated User Can Retrieve Device Logs","Privilege Escalation via Logs"} | SecurityVulnerability.io