{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7265", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-07-30T08:43:01.420Z", "datePublished": "2024-08-07T10:58:25.223Z", "dateUpdated": "2024-10-10T15:36:21.423Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EZD RP", "vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy", "versions": [{"lessThan": "15.84", "status": "affected", "version": "15", "versionType": "custom"}, {"lessThan": "16.15", "status": "affected", "version": "16", "versionType": "custom"}, {"lessThan": "17.2", "status": "affected", "version": "17", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub P\u0142atek (NASK-PIB)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.&nbsp;<p>This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.</p>"}], "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:21.423Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/08/CVE-2023-7265/"}, {"tags": ["product"], "url": "https://www.gov.pl/web/ezd-rp"}], "source": {"discovery": "UNKNOWN"}, "title": "Privilege Escalation in EZD RP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "nask-pib", "product": "ezd_rp", "cpes": ["cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "15", "status": "affected", "lessThan": "15.84", "versionType": "custom"}, {"version": "16", "status": "affected", "lessThan": "16.15", "versionType": "custom"}, {"version": "17", "status": "affected", "lessThan": "17.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T13:13:17.569299Z", "id": "CVE-2024-7265", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T14:37:20.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7265", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-07T13:13:17.569299Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nask-pib:ezd_rp:*:*:*:*:*:*:*:*"], "vendor": "nask-pib", "product": "ezd_rp", "versions": [{"status": "affected", "version": "15", "lessThan": "15.84", "versionType": "custom"}, {"status": "affected", "version": "16", "lessThan": "16.15", "versionType": "custom"}, {"status": "affected", "version": "17", "lessThan": "17.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T14:37:01.184Z"}}], "cna": {"title": "Privilege Escalation in EZD RP", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jakub P\u0142atek (NASK-PIB)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy", "product": "EZD RP", "versions": [{"status": "affected", "version": "15", "lessThan": "15.84", "versionType": "custom"}, {"status": "affected", "version": "16", "lessThan": "16.15", "versionType": "custom"}, {"status": "affected", "version": "17", "lessThan": "17.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/08/CVE-2023-7265/", "tags": ["third-party-advisory"]}, {"url": "https://www.gov.pl/web/ezd-rp", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.", "supportingMedia": [{"type": "text/html", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.&nbsp;<p>This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:21.423Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7265", "state": "PUBLISHED", "dateUpdated": "2024-10-10T15:36:21.423Z", "dateReserved": "2024-07-30T08:43:01.420Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-08-07T10:58:25.223Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B43D39E4-75AE-42D6-B206-A70B3CB9B538", "versionEndExcluding": "15.84", "versionStartIncluding": "15", "vulnerable": true}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C255177-BEAE-4B88-869C-57EBD3466ADD", "versionEndExcluding": "16.15", "versionStartIncluding": "16", "vulnerable": true}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "matchCriteriaId": "50DE01F5-72FE-4ECC-B117-3B4D5E15901C", "versionEndExcluding": "17.2", "versionStartIncluding": "17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."}, {"lang": "es", "value": "La vulnerabilidad de administraci\u00f3n incorrecta de usuarios en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite que un usuario conectado cambie la contrase\u00f1a de cualquier usuario, incluido el usuario root, lo que podr\u00eda provocar una escalada de privilegios. Este problema afecta a EZD RP: desde la versi\u00f3n 15 hasta la 15.84, desde la versi\u00f3n 16 hasta la 16.15, desde la versi\u00f3n 17 hasta la 17.2."}], "id": "CVE-2024-7265", "lastModified": "2024-10-10T16:15:08.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-08-07T11:15:45.757", "references": [{"source": "[email protected]", "tags": ["Broken Link"], "url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265/"}, {"source": "[email protected]", "tags": ["Broken Link"], "url": "https://cert.pl/posts/2024/08/CVE-2023-7265/"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://www.gov.pl/web/ezd-rp"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Secondary"}]}

{}