Description

Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute.

INFO

Published Date :

2024-04-28T00:00:00.000Z

Last Modified :

2025-02-12T14:59:33.572Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2024-33891 vulnerability.

Vendors Products
Delinea
  • Secret Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-33891.

URL Resource
https://delinea.com/products/secret-server cve-icon cve-icon
https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm cve-icon cve-icon
https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2024-33891.py cve-icon cve-icon
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 cve-icon cve-icon
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Complexity
Attack Vector
Availability Impact
Confidentiality Impact
Integrity Impact
Privileges Required
Scope
User Interaction