Lucene search

MitreCVE-2024-37393

HistoryJun 10, 2024 - 8:15 p.m.

CVE-2024-37393

2024-06-1020:15:15

CWE-89

CWE-319

mitre

web.nvd.nist.gov

ldap injection

securenvoy mfa

active directory

http endpoint

data exfiltration

laps feature

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.013

Percentile

85.9%

JSON

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.

Affected configurations

Nvd

Node

securenvoymulti-factor_authentication_solutionsRange<9.4.514

VendorProductVersionCPE
securenvoymulti-factor_authentication_solutions*cpe:2.3:a:securenvoy:multi-factor_authentication_solutions:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
securenvoy	multi-factor_authentication_solutions	*	cpe:2.3:a:securenvoy:multi-factor_authentication_solutions::::::::

References

learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/ad2ce8fa-42a0-4371-ad18-5d1d1c488b22

securenvoy.com/support/

www.optistream.io/blogs/tech/securenvoy-cve-2024-37393

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.013

Percentile

85.9%

JSON

Related for CVE-2024-37393