CVE-2024-36464 - Vulnerability Details - OpenCVE

When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://support.zabbix.com/browse/ZBX-25630

History

Wed, 27 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
Description		When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
Title		Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported
Weaknesses		CWE-256
References		https://support.zabbix.com/browse/ZBX-25630
Metrics		cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2024-11-27T14:01:58.136Z

Updated: 2024-11-27T14:28:40.384Z

Reserved: 2024-05-28T11:21:24.946Z

Link: CVE-2024-36464

Vulnrichment

No data.

NVD

Status : Received

Published: 2024-11-27T14:15:17.830

Modified: 2024-11-27T14:15:17.830

Link: CVE-2024-36464

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36464", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2024-05-28T11:21:24.946Z", "datePublished": "2024-11-27T14:01:58.136Z", "dateUpdated": "2024-11-27T14:28:40.384Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["API", "Frontend", "Server"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "6.0.30rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.29", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "6.4.16rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.15", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.1rc1", "status": "unaffected"}], "lessThanOrEqual": "7.0.0", "status": "affected", "version": "7.0.0alpha1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank Jayateertha G for submitting this report on the HackerOne bug bounty platform."}], "datePublic": "2024-10-30T13:37:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords."}], "value": "When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords."}], "impacts": [{"descriptions": [{"lang": "en", "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2024-11-27T14:01:58.136Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-25630"}], "source": {"discovery": "EXTERNAL"}, "title": "Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-27T14:27:15.357237Z", "id": "CVE-2024-36464", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T14:28:40.384Z"}}]}}