Lucene search

GitHub_MCVE-2024-27105

HistoryMar 21, 2024 - 2:52 a.m.

CVE-2024-27105

2024-03-2102:52:18

CWE-863

GitHub_M

web.nvd.nist.gov

frappe

web app framework

cve-2024-27105

file permission bypass

patch

security vulnerability

endpoint

less privileged users restriction

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

9.0%

JSON

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.

Affected configurations

Vulners

Vulnrichment

Node

frappefrappeRange<14.66.3

frappefrappeRange15.0.0–15.16.0

VendorProductVersionCPE
frappefrappe*cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
frappe	frappe	*	cpe:2.3:a:frappe:frappe::::::::

CNA Affected

[
  {
    "vendor": "frappe",
    "product": "frappe",
    "versions": [
      {
        "version": "< 14.66.3",
        "status": "affected"
      },
      {
        "version": ">= 15.0.0, < 15.16.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-27105