CVE-2024-1258 - Vulnerability Details - OpenCVE

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Juanpao	Jpshop

Configuration 1 [-]

cpe:2.3:a:juanpao:jpshop:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://note.zhaoj.in/share/XblX1My7jNV7
https://vuldb.com/?ctiid.252997
https://vuldb.com/?id.252997
https://vuldb.com/?submit.277418

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-02-06T20:31:03.761Z

Updated: 2024-08-19T20:24:12.690Z

Reserved: 2024-02-06T08:28:36.258Z

Link: CVE-2024-1258

Vulnrichment

Updated: 2024-08-01T18:33:25.121Z

NVD

Status : Modified

Published: 2024-02-06T21:15:08.660

Modified: 2024-11-21T08:50:10.573

Link: CVE-2024-1258

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1258", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-02-06T08:28:36.258Z", "datePublished": "2024-02-06T20:31:03.761Z", "dateUpdated": "2024-08-19T20:24:12.690Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-29T11:09:54.704Z"}, "title": "Juanpao JPShop API params.php hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "CWE-321 Use of Hard-coded Cryptographic Key\r\n"}]}], "affected": [{"vendor": "Juanpao", "product": "JPShop", "versions": [{"version": "1.5.02", "status": "affected"}], "modules": ["API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\r . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability."}, {"lang": "de", "value": "In Juanpao JPShop bis 1.5.02 wurde eine problematische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Datei api/config/params.php der Komponente API. Durch Manipulieren des Arguments JWT_KEY_ADMIN mit unbekannten Daten kann eine use of hard-coded cryptographic key\r -Schwachstelle ausgenutzt werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N"}}], "timeline": [{"time": "2024-02-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-02-06T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2024-02-06T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-03-01T08:05:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "glzjin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.252997", "name": "VDB-252997 | Juanpao JPShop API params.php hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.252997", "name": "VDB-252997 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.277418", "name": "Submit #277418 | JPShop JPShop <=1.5.02 Auth-Bypass", "tags": ["third-party-advisory"]}, {"url": "https://note.zhaoj.in/share/XblX1My7jNV7", "tags": ["broken-link", "exploit"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.121Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.252997", "name": "VDB-252997 | Juanpao JPShop API params.php hard-coded key", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.252997", "name": "VDB-252997 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.277418", "name": "Submit #277418 | JPShop JPShop <=1.5.02 Auth-Bypass", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://note.zhaoj.in/share/XblX1My7jNV7", "tags": ["broken-link", "exploit", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-19T20:24:03.500479Z", "id": "CVE-2024-1258", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T20:24:12.690Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.252997", "name": "VDB-252997 | Juanpao JPShop API params.php hard-coded key", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.252997", "name": "VDB-252997 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.277418", "name": "Submit #277418 | JPShop JPShop <=1.5.02 Auth-Bypass", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://note.zhaoj.in/share/XblX1My7jNV7", "tags": ["broken-link", "exploit", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.121Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1258", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-19T20:24:03.500479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T20:24:09.357Z"}}], "cna": {"title": "Juanpao JPShop API params.php hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "glzjin (VulDB User)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N"}}], "affected": [{"vendor": "Juanpao", "modules": ["API"], "product": "JPShop", "versions": [{"status": "affected", "version": "1.5.02"}]}], "timeline": [{"lang": "en", "time": "2024-02-06T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-02-06T00:00:00.000Z", "value": "CVE reserved"}, {"lang": "en", "time": "2024-02-06T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-03-01T08:05:49.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.252997", "name": "VDB-252997 | Juanpao JPShop API params.php hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.252997", "name": "VDB-252997 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.277418", "name": "Submit #277418 | JPShop JPShop <=1.5.02 Auth-Bypass", "tags": ["third-party-advisory"]}, {"url": "https://note.zhaoj.in/share/XblX1My7jNV7", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\r . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability."}, {"lang": "de", "value": "In Juanpao JPShop bis 1.5.02 wurde eine problematische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Datei api/config/params.php der Komponente API. Durch Manipulieren des Arguments JWT_KEY_ADMIN mit unbekannten Daten kann eine use of hard-coded cryptographic key\r -Schwachstelle ausgenutzt werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key\r\n"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-29T11:09:54.704Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1258", "state": "PUBLISHED", "dateUpdated": "2024-08-19T20:24:12.690Z", "dateReserved": "2024-02-06T08:28:36.258Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-02-06T20:31:03.761Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juanpao:jpshop:*:*:*:*:*:*:*:*", "matchCriteriaId": "36995D4D-14EF-451E-9C08-19CD2AAB3C6D", "versionEndIncluding": "1.5.02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\r . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Juanpao JPShop hasta 1.5.02. Ha sido declarada problem\u00e1tica. Una funci\u00f3n desconocida del archivo api/config/params.php del componente API es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento JWT_KEY_ADMIN conduce al uso de una clave criptogr\u00e1fica codificada. La complejidad de un ataque es bastante alta. La explotaci\u00f3n parece dif\u00edcil. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-252997."}], "id": "CVE-2024-1258", "lastModified": "2024-11-21T08:50:10.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-06T21:15:08.660", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://note.zhaoj.in/share/XblX1My7jNV7"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?ctiid.252997"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.252997"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.277418"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://note.zhaoj.in/share/XblX1My7jNV7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?ctiid.252997"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.252997"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://vuldb.com/?submit.277418"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Secondary"}]}