CVE-2024-36464
Vulnerability from cvelistv5
Published
2024-11-27 14:01
Modified
2024-11-27 14:28
Severity ?
EPSS score ?
Summary
When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-36464", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-27T14:27:15.357237Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-27T14:28:40.384Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "API", "Frontend", "Server" ], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [ { "changes": [ { "at": "6.0.30rc1", "status": "unaffected" } ], "lessThanOrEqual": "6.0.29", "status": "affected", "version": "6.0.0", "versionType": "git" }, { "changes": [ { "at": "6.4.16rc1", "status": "unaffected" } ], "lessThanOrEqual": "6.4.15", "status": "affected", "version": "6.4.0", "versionType": "git" }, { "changes": [ { "at": "7.0.1rc1", "status": "unaffected" } ], "lessThanOrEqual": "7.0.0", "status": "affected", "version": "7.0.0alpha1", "versionType": "git" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Zabbix wants to thank Jayateertha G for submitting this report on the HackerOne bug bounty platform." } ], "datePublic": "2024-10-30T13:37:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords." } ], "value": "When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords." } ], "impacts": [ { "descriptions": [ { "lang": "en", "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-27T14:01:58.136Z", "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix" }, "references": [ { "url": "https://support.zabbix.com/browse/ZBX-25630" } ], "source": { "discovery": "EXTERNAL" }, "title": "Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "assignerShortName": "Zabbix", "cveId": "CVE-2024-36464", "datePublished": "2024-11-27T14:01:58.136Z", "dateReserved": "2024-05-28T11:21:24.946Z", "dateUpdated": "2024-11-27T14:28:40.384Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-36464\",\"sourceIdentifier\":\"security@zabbix.com\",\"published\":\"2024-11-27T14:15:17.830\",\"lastModified\":\"2024-11-27T14:15:17.830\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.\"},{\"lang\":\"es\",\"value\":\"Al exportar tipos de medios, la contrase\u00f1a se exporta en el YAML en texto plano. Esto parece ser un problema de tipo de mejores pr\u00e1cticas y es posible que no tenga un impacto real. El usuario necesitar\u00eda tener permisos para acceder a los tipos de medios y, por lo tanto, se esperar\u00eda que tuviera acceso a estas contrase\u00f1as.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@zabbix.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@zabbix.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-256\"}]}],\"references\":[{\"url\":\"https://support.zabbix.com/browse/ZBX-25630\",\"source\":\"security@zabbix.com\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.