-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from OOsipova/master
Vulnerabilities in Centrify PAS
- Loading branch information
Showing
2 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| *** | ||
| # Kaspersky Advisory | ||
| ## (K-Delinea-2023-001) Arbitrary File Reading in Centrify PAS | ||
| *** | ||
| ### Affected Hardware/Software | ||
| Centrify PAS v. 21.3 and possibly others | ||
| ### Severity level | ||
| Impact: This vulnerability may allow to dump credentials for DB or even dump entire local DB. Also an attacker may retrieve encryption keys for stored credentials. | ||
|
|
||
| Access Vector: The vulnerability can be exploited by any authorized user with network access. | ||
| ### CVSS v3 Vector | ||
|
|
||
| CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | ||
| ### CVSS v3 Score | ||
|
|
||
| 7.7 | ||
| ### CVE ID | ||
|
|
||
| CVE-2024-5865 | ||
| ### Vulnerability description | ||
| The application is prone to the path traversal vulnerability allowing arbitrary files reading outside the web publish directory. | ||
| ### Remediation | ||
| Apply patch from vendor. Versions 23.1-HF7 and on have the patch. | ||
| ### Acknowledgements | ||
| The vulnerability was discovered by Vladas Bulavas from Kaspersky | ||
|
|
||
| ### References | ||
| https://github.com/klsecservices/Advisories/blob/master/K-Delinea-2023-001.md | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| *** | ||
| # Kaspersky Advisory | ||
| ## (K-Delinea-2023-002) Arbitrary Directory Listing in Centrify PAS | ||
| *** | ||
| ### Affected Hardware/Software | ||
| Centrify PAS v. 21.3 and possibly others | ||
| ### Severity level | ||
| Impact: This vulnerability may allow to get sensitive information from filenames and may help to exploit arbitrary file reading vulnerability. | ||
|
|
||
| Access Vector: The vulnerability can be exploited by any authorized user with network access. | ||
| ### CVSS v3 Vector | ||
|
|
||
| CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | ||
| ### CVSS v3 Score | ||
|
|
||
| 5.0 | ||
| ### CVE ID | ||
|
|
||
| CVE-2024-5866 | ||
| ### Vulnerability description | ||
| The application is prone to the path traversal vulnerability allowing listing of arbitrary directory outside the root directory of the web application. | ||
| ### Remediation | ||
| Apply patch from vendor. Versions 23.1-HF7 and on have the patch. | ||
| ### Acknowledgements | ||
| The vulnerability was discovered by Vladas Bulavas from Kaspersky | ||
| ### References | ||
| https://github.com/klsecservices/Advisories/blob/master/K-Delinea-2023-002.md | ||
|
|
||
|
|
||
|
|