CVE-2024-3046 – org.eclipse.kura:org.eclipse.kura.web2

Package

Manager: maven
Name: org.eclipse.kura:org.eclipse.kura.web2
Vulnerable Version: >=2.0.600 <=2.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00176 pctl0.39417

Details

Eclipse Kura LogServlet vulnerability In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].

Metadata

Created: 2024-04-09T12:30:47Z
Modified: 2024-04-15T20:19:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-frc2-w2cc-x794/GHSA-frc2-w2cc-x794.json
CWE IDs: ["CWE-303"]
Alternative ID: GHSA-frc2-w2cc-x794
Finding: F115
Auto approve: 1