Description

Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user. Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read. The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.

INFO

Published Date :

2024-09-24T07:25:12.184Z

Last Modified :

2024-09-24T14:57:45.924Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2024-21545 vulnerability.

Vendors Products
Proxmox
  • Mail Gateway
  • Virtual Environment
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-21545.

URL Resource
https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345 cve-icon cve-icon
https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact