cvelistv5 - cve-2024-38996

cve-2024-38996

Vulnerability from cvelistv5

Published

2024-07-01 00:00

Modified

2024-08-02 04:19

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

References

▼	URL	Tags
	cve@mitre.org	https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
	cve@mitre.org	https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
	cve@mitre.org	https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ag-grid:ag-grid-community:31.3.2:*:*:*:*:*:*:*",
              "cpe:2.3:a:ag-grid:ag-grid-enterprise:31.3.2:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ag-grid-enterprise",
            "vendor": "ag-grid",
            "versions": [
              {
                "status": "affected",
                "version": "31.3.2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38996",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-02T18:32:04.801249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1321",
                "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-02T18:38:11.706Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:19:20.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T12:49:24.566239",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
        },
        {
          "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
        },
        {
          "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-38996",
    "datePublished": "2024-07-01T00:00:00",
    "dateReserved": "2024-06-21T00:00:00",
    "dateUpdated": "2024-08-02T04:19:20.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38996\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-07-01T13:15:05.103\",\"lastModified\":\"2024-11-21T09:27:04.387\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 que ag-grid-community v31.3.2 y ag-grid-enterprise v31.3.2 conten\u00edan un prototipo de contaminaci\u00f3n a trav\u00e9s de la funci\u00f3n _.mergeDeep. Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo arbitrario o provocar una denegaci\u00f3n de servicio (DoS) mediante la inyecci\u00f3n de propiedades arbitrarias.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38996\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-02T18:32:04.801249Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ag-grid:ag-grid-community:31.3.2:*:*:*:*:*:*:*\", \"cpe:2.3:a:ag-grid:ag-grid-enterprise:31.3.2:*:*:*:*:*:*:*\"], \"vendor\": \"ag-grid\", \"product\": \"ag-grid-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"31.3.2\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-02T18:37:50.552Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b\"}, {\"url\": \"https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b\"}, {\"url\": \"https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-07-01T12:49:24.566239\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38996\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-02T18:38:11.706Z\", \"dateReserved\": \"2024-06-21T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-07-01T00:00:00\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2024-3344

Vulnerability from csaf_certbund

Published

2024-11-05 23:00

Modified

2024-12-18 23:00

Summary

HCL BigFix WebUI: Mehrere Open Source Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3344 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3344.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3344 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3344"
      },
      {
        "category": "external",
        "summary": "HCL BigFix Security Advisory vom 2024-11-05",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=e8e9f77b936dd6100dddf87d1dba103d"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2024-12-18",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=1af3c435fb2216d0db10f2797befdc15"
      }
    ],
    "source_lang": "en-US",
    "title": "HCL BigFix WebUI: Mehrere Open Source Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-18T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-19T09:12:54.292+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3344",
      "initial_release_date": "2024-11-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-11-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-12-18T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HCL BigFix",
                "product": {
                  "name": "HCL BigFix",
                  "product_id": "T036098",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:webui"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Server Automation",
                "product": {
                  "name": "HCL BigFix Server Automation",
                  "product_id": "T039915",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:server_automation"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BigFix"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-26159",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2023-26159"
    },
    {
      "cve": "CVE-2023-45857",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2023-45857"
    },
    {
      "cve": "CVE-2024-21501",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-21501"
    },
    {
      "cve": "CVE-2024-33883",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-33883"
    },
    {
      "cve": "CVE-2024-35255",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-35255"
    },
    {
      "cve": "CVE-2024-38996",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-38996"
    },
    {
      "cve": "CVE-2024-43796",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43796"
    },
    {
      "cve": "CVE-2024-43799",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43799"
    },
    {
      "cve": "CVE-2024-43800",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43800"
    },
    {
      "cve": "CVE-2024-45296",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-45296"
    },
    {
      "cve": "CVE-2024-45590",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-45590"
    },
    {
      "cve": "CVE-2024-8372",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-8372"
    },
    {
      "cve": "CVE-2024-8373",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-8373"
    }
  ]
}

WID-SEC-W-2024-3344

Vulnerability from csaf_certbund

Published

2024-11-05 23:00

Modified

2024-12-18 23:00

Summary

HCL BigFix WebUI: Mehrere Open Source Schwachstellen

Notes

Produktbeschreibung

BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3344 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3344.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3344 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3344"
      },
      {
        "category": "external",
        "summary": "HCL BigFix Security Advisory vom 2024-11-05",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=e8e9f77b936dd6100dddf87d1dba103d"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2024-12-18",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=1af3c435fb2216d0db10f2797befdc15"
      }
    ],
    "source_lang": "en-US",
    "title": "HCL BigFix WebUI: Mehrere Open Source Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-18T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-19T09:12:54.292+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3344",
      "initial_release_date": "2024-11-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-11-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-12-18T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HCL BigFix",
                "product": {
                  "name": "HCL BigFix",
                  "product_id": "T036098",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:webui"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Server Automation",
                "product": {
                  "name": "HCL BigFix Server Automation",
                  "product_id": "T039915",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:server_automation"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BigFix"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-26159",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2023-26159"
    },
    {
      "cve": "CVE-2023-45857",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2023-45857"
    },
    {
      "cve": "CVE-2024-21501",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-21501"
    },
    {
      "cve": "CVE-2024-33883",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-33883"
    },
    {
      "cve": "CVE-2024-35255",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-35255"
    },
    {
      "cve": "CVE-2024-38996",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-38996"
    },
    {
      "cve": "CVE-2024-43796",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43796"
    },
    {
      "cve": "CVE-2024-43799",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43799"
    },
    {
      "cve": "CVE-2024-43800",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-43800"
    },
    {
      "cve": "CVE-2024-45296",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-45296"
    },
    {
      "cve": "CVE-2024-45590",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-45590"
    },
    {
      "cve": "CVE-2024-8372",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-8372"
    },
    {
      "cve": "CVE-2024-8373",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039915",
          "T036098"
        ]
      },
      "release_date": "2024-11-05T23:00:00.000+00:00",
      "title": "CVE-2024-8373"
    }
  ]
}

ghsa-876p-c77m-x2hc

Vulnerability from github

Published

2024-07-01 15:32

Modified

2024-09-04 16:39

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Summary

Prototype pollution in ag-grid-community via the _.mergeDeep function

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-enterprise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-community"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-01T22:34:03Z",
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "HIGH"
  },
  "details": "ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. Prior versions were also found to be affected.",
  "id": "GHSA-876p-c77m-x2hc",
  "modified": "2024-09-04T16:39:10Z",
  "published": "2024-07-01T15:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ag-grid/ag-grid/pull/8290"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ag-grid/ag-grid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Prototype pollution in ag-grid-community via the _.mergeDeep function"
}

fkie_cve-2024-38996

Vulnerability from fkie_nvd

Published

2024-07-01 13:15

Modified

2024-11-21 09:27

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	cve@mitre.org	https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
	cve@mitre.org	https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
	cve@mitre.org	https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
	af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 que ag-grid-community v31.3.2 y ag-grid-enterprise v31.3.2 conten\u00edan un prototipo de contaminaci\u00f3n a trav\u00e9s de la funci\u00f3n _.mergeDeep. Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo arbitrario o provocar una denegaci\u00f3n de servicio (DoS) mediante la inyecci\u00f3n de propiedades arbitrarias."
    }
  ],
  "id": "CVE-2024-38996",
  "lastModified": "2024-11-21T09:27:04.387",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-01T13:15:05.103",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-38996

Vulnerability from cvelistv5

wid-sec-w-2024-3344

Vulnerability from csaf_certbund

WID-SEC-W-2024-3344

Vulnerability from csaf_certbund

ghsa-876p-c77m-x2hc

Vulnerability from github

fkie_cve-2024-38996

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature