CVE-2024-1258 - OpenCVE

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:H/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Juanpao	Jpshop

Configuration 1 [-]

cpe:2.3:a:juanpao:jpshop:*:*:*:*:*:*:*:*

References

Link	Resource
https://note.zhaoj.in/share/XblX1My7jNV7	Broken Link
https://vuldb.com/?ctiid.252997	Permissions Required Third Party Advisory
https://vuldb.com/?id.252997	Third Party Advisory
https://vuldb.com/?submit.277418

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2024-02-06T20:31:03.761Z

Updated: 2024-04-29T11:09:54.704Z

Reserved: 2024-02-06T08:28:36.258Z

Link: CVE-2024-1258

JSON object: View

NVD Information

Status : Modified

Published: 2024-02-06T21:15:08.660

Modified: 2024-05-17T02:35:20.987

Link: CVE-2024-1258

JSON object: View

Redhat Information

No data.

CWE

CWE-321

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-1258", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-02-06T08:28:36.258Z", "datePublished": "2024-02-06T20:31:03.761Z", "dateUpdated": "2024-04-29T11:09:54.704Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-29T11:09:54.704Z"}, "title": "Juanpao JPShop API params.php hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "CWE-321 Use of Hard-coded Cryptographic Key\r\n"}]}], "affected": [{"vendor": "Juanpao", "product": "JPShop", "versions": [{"version": "1.5.02", "status": "affected"}], "modules": ["API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\r . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability."}, {"lang": "de", "value": "In Juanpao JPShop bis 1.5.02 wurde eine problematische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Datei api/config/params.php der Komponente API. Durch Manipulieren des Arguments JWT_KEY_ADMIN mit unbekannten Daten kann eine use of hard-coded cryptographic key\r -Schwachstelle ausgenutzt werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N"}}], "timeline": [{"time": "2024-02-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-02-06T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2024-02-06T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-03-01T08:05:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "glzjin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.252997", "name": "VDB-252997 | Juanpao JPShop API params.php hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.252997", "name": "VDB-252997 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.277418", "name": "Submit #277418 | JPShop JPShop <=1.5.02 Auth-Bypass", "tags": ["third-party-advisory"]}, {"url": "https://note.zhaoj.in/share/XblX1My7jNV7", "tags": ["broken-link", "exploit"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juanpao:jpshop:*:*:*:*:*:*:*:*", "matchCriteriaId": "36995D4D-14EF-451E-9C08-19CD2AAB3C6D", "versionEndIncluding": "1.5.02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\r . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Juanpao JPShop hasta 1.5.02. Ha sido declarada problem\u00e1tica. Una funci\u00f3n desconocida del archivo api/config/params.php del componente API es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento JWT_KEY_ADMIN conduce al uso de una clave criptogr\u00e1fica codificada. La complejidad de un ataque es bastante alta. La explotaci\u00f3n parece dif\u00edcil. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-252997."}], "id": "CVE-2024-1258", "lastModified": "2024-05-17T02:35:20.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-02-06T21:15:08.660", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://note.zhaoj.in/share/XblX1My7jNV7"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?ctiid.252997"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.252997"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.277418"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}