Refine your search

1 vulnerability found for by IceWhaleTech

CVE-2024-48932 (GCVE-0-2024-48932)
Vulnerability from cvelistv5
Published
2024-10-24 21:00
Modified
2025-11-05 21:22
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-284 - Improper Access Control
Summary
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available.
References
Impacted products
Vendor Product Version
IceWhaleTech ZimaOS Version: < 1.5.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:icewhaletech:zimaos:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "zimaos",
            "vendor": "icewhaletech",
            "versions": [
              {
                "lessThanOrEqual": "1.2.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-48932",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-25T17:31:24.642924Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-25T17:31:58.913Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ZimaOS",
          "vendor": "IceWhaleTech",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://\u003cServer-ip\u003e/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-05T21:22:07.798Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-9mrr-px2c-w42c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-9mrr-px2c-w42c"
        },
        {
          "name": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-57r9-43pc-gcp2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-57r9-43pc-gcp2"
        },
        {
          "name": "https://youtu.be/wJFq8cuyFm4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://youtu.be/wJFq8cuyFm4"
        }
      ],
      "source": {
        "advisory": "GHSA-9mrr-px2c-w42c",
        "discovery": "UNKNOWN"
      },
      "title": "ZimaOS Unauthenticated API Discloses Usernames"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-48932",
    "datePublished": "2024-10-24T21:00:27.791Z",
    "dateReserved": "2024-10-09T22:06:46.175Z",
    "dateUpdated": "2025-11-05T21:22:07.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}