CVE-2024-37282 - OpenCVE

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

References

No reference.

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: elastic

Published: 2024-06-28T04:58:18.200Z

Updated: 2024-07-02T14:20:09.438Z

Reserved: 2024-06-05T14:21:14.942Z

Link: CVE-2024-37282

JSON object: View

NVD Information

No data.

Redhat Information

No data.

CWE

CWE-285

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37282", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2024-06-05T14:21:14.942Z", "datePublished": "2024-06-28T04:58:18.200Z", "dateUpdated": "2024-07-02T14:20:09.438Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Elastic Cloud Enterprise", "vendor": "Elastic", "versions": [{"lessThan": "3.7.2", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.<br>"}], "value": "It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2024-06-28T04:58:18.200Z"}, "references": [{"url": "https://discuss.elastic.co/t/elastic-cloud-enterprise-3-7-2-security-update-esa-2024-18/362181"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "elastic", "product": "elastic_cloud_enterprise", "cpes": ["cpe:2.3:a:elastic:elastic_cloud_enterprise:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "3.0.0", "status": "affected", "lessThan": "3.7.2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T14:14:57.087618Z", "id": "CVE-2024-37282", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T14:20:09.438Z"}}]}}