CVE-2024-23537 - Vulnerability Details - OpenCVE

Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Fineract

Configuration 1 [-]

cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/03/29/1
https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report
https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1

History

Thu, 12 Dec 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache fineract
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:fineract::::::::
Vendors & Products		Apache Apache fineract

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-03-29T14:38:05.738Z

Updated: 2024-08-01T23:06:25.238Z

Reserved: 2024-01-18T04:59:16.245Z

Link: CVE-2024-23537

Vulnrichment

Updated: 2024-08-01T23:06:25.238Z

NVD

Status : Analyzed

Published: 2024-03-29T15:15:10.253

Modified: 2024-12-12T18:09:25.500

Link: CVE-2024-23537

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23537", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-18T04:59:16.245Z", "datePublished": "2024-03-29T14:38:05.738Z", "dateUpdated": "2024-08-01T23:06:25.238Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Fineract", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.9.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": " Yash Sancheti "}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Privilege Management vulnerability in Apache Fineract.<p>This issue affects Apache Fineract: <1.8.5.</p><p>Users are recommended to upgrade to version 1.9.0, which fixes the issue.</p>"}], "value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-29T14:38:05.738Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "fineract", "cpes": ["cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.9.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T18:09:05.990965Z", "id": "CVE-2024-23537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T20:06:52.390Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.238Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.238Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-08T18:09:05.990965Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "fineract", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T18:10:39.776Z"}}], "cna": {"title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. ", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": " Yash Sancheti "}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Fineract", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Privilege Management vulnerability in Apache Fineract.<p>This issue affects Apache Fineract: <1.8.5.</p><p>Users are recommended to upgrade to version 1.9.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-29T14:38:05.738Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23537", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:06:25.238Z", "dateReserved": "2024-01-18T04:59:16.245Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-03-29T14:38:05.738Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*", "matchCriteriaId": "17C02E41-0ACE-4D3E-A187-7B0B7AB5DB3B", "versionEndExcluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de gesti\u00f3n de privilegios incorrecta en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.9.0, que soluciona el problema."}], "id": "CVE-2024-23537", "lastModified": "2024-12-12T18:09:25.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-03-29T15:15:10.253", "references": [{"source": "[email protected]", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"}, {"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}