Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Automox Agent by Automox
CVE-2021-26909 (GCVE-0-2021-26909)
Vulnerability from cvelistv5 – Published: 2021-04-23 15:35 – Updated: 2024-09-16 22:52
VLAI
EPSS
VEX
Title
Automox Agent Guessable S3 Bucket Endpoint
Summary
Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://community.automox.com/t/cve-2021-26908-an… | x_refsource_CONFIRM |
| https://www.rapid7.com/blog/post/2021/04/13/cve-2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automox | Automox Agent |
Affected:
30 , < 30
(custom)
|
Date Public
2021-04-13 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Automox Agent",
"vendor": "Automox",
"versions": [
{
"lessThan": "30",
"status": "affected",
"version": "30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"datePublic": "2021-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T15:35:20.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"source": {
"discovery": "USER"
},
"title": "Automox Agent Guessable S3 Bucket Endpoint",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-04-13T16:00:00.000Z",
"ID": "CVE-2021-26909",
"STATE": "PUBLIC",
"TITLE": "Automox Agent Guessable S3 Bucket Endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Automox Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "30",
"version_value": "30"
}
]
}
}
]
},
"vendor_name": "Automox"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955",
"refsource": "CONFIRM",
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"name": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-26909",
"datePublished": "2021-04-23T15:35:20.717Z",
"dateReserved": "2021-02-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:52:05.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26908 (GCVE-0-2021-26908)
Vulnerability from cvelistv5 – Published: 2021-04-23 15:35 – Updated: 2024-09-17 01:26
VLAI
EPSS
VEX
Title
Automox Agent Sensitive Log Information Disclosure
Summary
Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
Severity
CWE
- CWE-532 - Information Exposure Through Log Files
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://community.automox.com/t/cve-2021-26908-an… | x_refsource_CONFIRM |
| https://www.rapid7.com/blog/post/2021/04/13/cve-2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automox | Automox Agent |
Affected:
30 , < 30
(custom)
|
Date Public
2021-04-13 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Automox Agent",
"vendor": "Automox",
"versions": [
{
"lessThan": "30",
"status": "affected",
"version": "30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"datePublic": "2021-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Information Exposure Through Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T15:35:19.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"source": {
"discovery": "USER"
},
"title": "Automox Agent Sensitive Log Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-04-13T16:00:00.000Z",
"ID": "CVE-2021-26908",
"STATE": "PUBLIC",
"TITLE": "Automox Agent Sensitive Log Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Automox Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "30",
"version_value": "30"
}
]
}
}
]
},
"vendor_name": "Automox"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532 Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955",
"refsource": "CONFIRM",
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"name": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-26908",
"datePublished": "2021-04-23T15:35:20.041Z",
"dateReserved": "2021-02-08T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:26:49.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26908 (GCVE-0-2021-26908)
Vulnerability from nvd – Published: 2021-04-23 15:35 – Updated: 2024-09-17 01:26
VLAI
EPSS
VEX
Title
Automox Agent Sensitive Log Information Disclosure
Summary
Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
Severity
CWE
- CWE-532 - Information Exposure Through Log Files
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://community.automox.com/t/cve-2021-26908-an… | x_refsource_CONFIRM |
| https://www.rapid7.com/blog/post/2021/04/13/cve-2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automox | Automox Agent |
Affected:
30 , < 30
(custom)
|
Date Public
2021-04-13 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Automox Agent",
"vendor": "Automox",
"versions": [
{
"lessThan": "30",
"status": "affected",
"version": "30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"datePublic": "2021-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Information Exposure Through Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T15:35:19.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"source": {
"discovery": "USER"
},
"title": "Automox Agent Sensitive Log Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-04-13T16:00:00.000Z",
"ID": "CVE-2021-26908",
"STATE": "PUBLIC",
"TITLE": "Automox Agent Sensitive Log Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Automox Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "30",
"version_value": "30"
}
]
}
}
]
},
"vendor_name": "Automox"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532 Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955",
"refsource": "CONFIRM",
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"name": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-26908",
"datePublished": "2021-04-23T15:35:20.041Z",
"dateReserved": "2021-02-08T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:26:49.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26909 (GCVE-0-2021-26909)
Vulnerability from nvd – Published: 2021-04-23 15:35 – Updated: 2024-09-16 22:52
VLAI
EPSS
VEX
Title
Automox Agent Guessable S3 Bucket Endpoint
Summary
Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://community.automox.com/t/cve-2021-26908-an… | x_refsource_CONFIRM |
| https://www.rapid7.com/blog/post/2021/04/13/cve-2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Automox | Automox Agent |
Affected:
30 , < 30
(custom)
|
Date Public
2021-04-13 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Automox Agent",
"vendor": "Automox",
"versions": [
{
"lessThan": "30",
"status": "affected",
"version": "30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"datePublic": "2021-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T15:35:20.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
],
"source": {
"discovery": "USER"
},
"title": "Automox Agent Guessable S3 Bucket Endpoint",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-04-13T16:00:00.000Z",
"ID": "CVE-2021-26909",
"STATE": "PUBLIC",
"TITLE": "Automox Agent Guessable S3 Bucket Endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Automox Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "30",
"version_value": "30"
}
]
}
}
]
},
"vendor_name": "Automox"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Danny Jordan of Rapid7, and disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization\u0027s security program. The issue has since been fixed in version 31 of the Automox Agent."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955",
"refsource": "CONFIRM",
"url": "https://community.automox.com/t/cve-2021-26908-and-cve-201-26909-automox-agent-information-disclosure-vulnerabilities-fixed/1955"
},
{
"name": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/",
"refsource": "MISC",
"url": "https://www.rapid7.com/blog/post/2021/04/13/cve-2021-26908-and-cve-2021-26909-automox-agent-information-disclosure-fixed/"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-26909",
"datePublished": "2021-04-23T15:35:20.717Z",
"dateReserved": "2021-02-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:52:05.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}