ZimaOS Arbitrary File Read via Parameter Manipulation
CVE-2024-48931

7.5HIGH

Key Information:

Vendor: Icewhaletech
Status: Zimaos
Vendor: CVE Published:; 24 October 2024

🔔 Create Icewhaletech Vulnerability Alert

What is CVE-2024-48931?

ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI, contains a significant vulnerability in its API. Inversions 1.2.4 and earlier, the API endpoint, located at http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>, suffers from inadequate input validation, leading to arbitrary file reading. By manipulating the files parameter, authenticated users can access sensitive system files such as /etc/shadow, which contains hashed passwords for all users on the system. This flaw is particularly dangerous as it could enable attackers to escalate privileges or compromise the system. This vulnerability arises from the API endpoint's failure to properly validate or restrict file paths submitted in the files parameter, enabling successful exploitation. As of the latest updates, no patched versions of ZimaOS have been released.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ZimaOS <= 1.2.4

References

https://github.com/IceWhaleTech/ZimaOS/security/advisorie...

x_refsource_CONFIRM

https://youtu.be/FyIfcmCyDXs

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 24, 2024

JSON

Icewhaletech

What is CVE-2024-48931?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.