Lucene search

INCIBECVE-2023-24515

HistoryAug 22, 2023 - 7:16 p.m.

CVE-2023-24515

2023-08-2219:16:34

CWE-918

INCIBE

web.nvd.nist.gov

2466

vulnerability

ssrf

pandora fms

api

security issue

nvd

cve-2023-24515

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

50.6%

JSON

Server-Side Request Forgery (SSRF) vulnerability in API checker of Pandora FMS. Application does not have a check on the URL scheme used while retrieving API URL. Rather than validating the http/https scheme, the application allows other scheme such as file, which could allow a malicious user to fetch internal file content. This issue affects Pandora FMS v767 version and prior versions on all platforms.

Affected configurations

Nvd

Vulners

Node

pandorafmspandora_fmsRange≤767

VendorProductVersionCPE
pandorafmspandora_fms*cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pandorafms	pandora_fms	*	cpe:2.3:a:pandorafms:pandora_fms::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "All"
    ],
    "product": "Pandora FMS",
    "vendor": "Artica PFMS",
    "versions": [
      {
        "lessThanOrEqual": "v767",
        "status": "affected",
        "version": "v0",
        "versionType": "custom"
      }
    ]
  }
]

References

gist.github.com/damodarnaik/9cc76c6b320510c34a0a668bd7439f7b

pandorafms.com/en/security/common-vulnerabilities-and-exposures/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

50.6%

JSON

Related for CVE-2023-24515