CVE-2024-33881 - OpenCVE

An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Virtosoftware	Sharepoint Bulk File Download
Microsoft	Sharepoint Server

Configuration 1 [-]

AND

cpe:2.3:a:virtosoftware:sharepoint_bulk_file_download:5.5.44:*:*:*:*:*:*:*

cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

References

Link	Resource
https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq	Product
https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2024-06-24T00:00:00

Updated: 2024-06-25T14:50:25.208Z

Reserved: 2024-04-28T00:00:00

Link: CVE-2024-33881

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-24T17:15:10.447

Modified: 2024-06-26T14:42:27.170

Link: CVE-2024-33881

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-33881", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-06-25T14:50:25.208Z", "dateReserved": "2024-04-28T00:00:00", "datePublished": "2024-06-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-24T16:33:49.955826"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq"}, {"url": "https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "affected": [{"vendor": "virtosoftware", "product": "virto_bulk_file_download", "cpes": ["cpe:2.3:a:virtosoftware:virto_bulk_file_download:5.5.44:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.5.44", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T14:47:10.448909Z", "id": "CVE-2024-33881", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:50:25.208Z"}}]}, "dataVersion": "5.1"}