CVE-2024-2449 - Vulnerability Details - OpenCVE

A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Loadmaster

Configuration 1 [-]

OR	cpe:2.3:a:progress:loadmaster:::::ltsf:::*
	cpe:2.3:a:progress:loadmaster:::::ga:::*
	cpe:2.3:a:progress:loadmaster:7.1.35.10::::mt:::
	cpe:2.3:a:progress:loadmaster:7.2.48.10::::lts:::

No data.

References

Link	Providers
https://progress.com/loadmaster
https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449

History

Mon, 10 Feb 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress loadmaster
CPEs		cpe:2.3:a:progress:loadmaster:::::ga:::* cpe:2.3:a:progress:loadmaster:::::ltsf:::* cpe:2.3:a:progress:loadmaster:7.1.35.10::::mt::: cpe:2.3:a:progress:loadmaster:7.2.48.10::::lts:::
Vendors & Products		Progress Progress loadmaster

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-03-22T13:35:39.103Z

Updated: 2024-08-12T19:23:36.632Z

Reserved: 2024-03-14T12:32:14.175Z

Link: CVE-2024-2449

Vulnrichment

Updated: 2024-08-01T19:11:53.568Z

NVD

Status : Analyzed

Published: 2024-03-22T14:15:09.210

Modified: 2025-02-10T19:33:51.660

Link: CVE-2024-2449

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2449", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-03-14T12:32:14.175Z", "datePublished": "2024-03-22T13:35:39.103Z", "dateUpdated": "2024-08-12T19:23:36.632Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["LoadMaster", "Multi-Tenancy", "ECS Connection Manager", "LM 360 Connector"], "product": "LoadMaster", "vendor": "Progress Software", "versions": [{"lessThan": "7.2.59.3 ( LoadMaster GA)", "status": "affected", "version": "7.2.55.0", "versionType": "semver"}, {"lessThan": "7.2.54.9 ( LoadMaster LTSF)", "status": "affected", "version": "7.2.49.0", "versionType": "semver"}, {"lessThan": "7.2.48.11 (LoadMaster LTS)", "status": "affected", "version": "7.2.48.10", "versionType": "semver"}, {"lessThan": "7.1.35.11 (LoadMaster MT)", "status": "affected", "version": "7.1.35.10", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rhino Security Labs - David Yesland"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator."}], "value": "A cross-site request forgery vulnerability has been identified in LoadMaster.\u00a0 It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-03-22T13:35:39.103Z"}, "references": [{"tags": ["product"], "url": "https://progress.com/loadmaster"}, {"tags": ["vendor-advisory"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"}], "source": {"discovery": "UNKNOWN"}, "title": "LoadMaster Cross-Site Request Forgery (CSRF)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.568Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://progress.com/loadmaster"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"}]}, {"affected": [{"vendor": "kemptechnologies", "product": "loadmaster", "cpes": ["cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.55.0", "status": "affected", "lessThan": "7.2.59.3", "versionType": "custom"}]}, {"vendor": "progress", "product": "loadmaster", "cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:lts:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.48.10", "status": "affected", "lessThan": "7.2.48.11", "versionType": "custom"}]}, {"vendor": "progress", "product": "loadmaster", "cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.49.0", "status": "affected", "lessThan": "7.2.54.9", "versionType": "custom"}]}, {"vendor": "progress", "product": "loadmaster", "cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:ml:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.1.35.10", "status": "affected", "lessThan": "7.1.35.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-22T14:59:39.862131Z", "id": "CVE-2024-2449", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:23:36.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://progress.com/loadmaster", "tags": ["product", "x_transferred"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.568Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-22T14:59:39.862131Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"], "vendor": "kemptechnologies", "product": "loadmaster", "versions": [{"status": "affected", "version": "7.2.55.0", "lessThan": "7.2.59.3", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:lts:*:*:*"], "vendor": "progress", "product": "loadmaster", "versions": [{"status": "affected", "version": "7.2.48.10", "lessThan": "7.2.48.11", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*"], "vendor": "progress", "product": "loadmaster", "versions": [{"status": "affected", "version": "7.2.49.0", "lessThan": "7.2.54.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:progress:loadmaster:*:*:*:*:ml:*:*:*"], "vendor": "progress", "product": "loadmaster", "versions": [{"status": "affected", "version": "7.1.35.10", "lessThan": "7.1.35.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:23:15.865Z"}}], "cna": {"title": "LoadMaster Cross-Site Request Forgery (CSRF)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Rhino Security Labs - David Yesland"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "modules": ["LoadMaster", "Multi-Tenancy", "ECS Connection Manager", "LM 360 Connector"], "product": "LoadMaster", "versions": [{"status": "affected", "version": "7.2.55.0", "lessThan": "7.2.59.3 ( LoadMaster GA)", "versionType": "semver"}, {"status": "affected", "version": "7.2.49.0", "lessThan": "7.2.54.9 ( LoadMaster LTSF)", "versionType": "semver"}, {"status": "affected", "version": "7.2.48.10", "lessThan": "7.2.48.11 (LoadMaster LTS)", "versionType": "semver"}, {"status": "affected", "version": "7.1.35.10", "lessThan": "7.1.35.11 (LoadMaster MT)", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://progress.com/loadmaster", "tags": ["product"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability has been identified in LoadMaster.\u00a0 It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.", "supportingMedia": [{"type": "text/html", "value": "A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-03-22T13:35:39.103Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2449", "state": "PUBLISHED", "dateUpdated": "2024-08-12T19:23:36.632Z", "dateReserved": "2024-03-14T12:32:14.175Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-03-22T13:35:39.103Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*", "matchCriteriaId": "09E601FC-0D63-44B7-8726-DA512D075139", "versionEndExcluding": "7.2.54.9", "versionStartIncluding": "7.2.49.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*", "matchCriteriaId": "F95CC892-C725-49BE-AC30-3AB2C1547517", "versionEndExcluding": "7.2.59.3", "versionStartIncluding": "7.2.55.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:loadmaster:7.1.35.10:*:*:*:mt:*:*:*", "matchCriteriaId": "8F615B26-D735-4A95-9D04-D434B61CFB38", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:loadmaster:7.2.48.10:*:*:*:lts:*:*:*", "matchCriteriaId": "8DDDA906-6A2C-4662-B3EC-6406BC32370D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability has been identified in LoadMaster.\u00a0 It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de Cross-Site Request Forgery en LoadMaster. Es posible que un actor malintencionado, que tenga conocimiento previo de la IP o el nombre de host de un LoadMaster espec\u00edfico, dirija a un administrador de LoadMaster autenticado a un sitio de terceros. En tal escenario, el payload CSRF alojado en el sitio malicioso ejecutar\u00eda transacciones HTTP en nombre del administrador de LoadMaster."}], "id": "CVE-2024-2449", "lastModified": "2025-02-10T19:33:51.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-22T14:15:09.210", "references": [{"source": "security@progress.com", "tags": ["Broken Link"], "url": "https://progress.com/loadmaster"}, {"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://progress.com/loadmaster"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}