Products
FOG
- 1.5.10.41
Source
security-advisories@github.com
Tags
CVE-2024-41954 details
Published : July 31, 2024, 8:15 p.m.
Last Modified : July 31, 2024, 8:15 p.m.
Last Modified : July 31, 2024, 8:15 p.m.
Description
FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41.
CVSS Score
| 1 | 2 | 3 | 4 | 5.3 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-732 | Incorrect Permission Assignment for Critical Resource | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
Base Score
5.3
Exploitability Score
1.8
Impact Score
3.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References
| URL | Source |
|---|---|
| https://github.com/FOGProject/fogproject/commit/97ed6d51608e52fc087ca1d2f03d6b8df612fc90 | security-advisories@github.com |
| https://github.com/FOGProject/fogproject/security/advisories/GHSA-pcqm-h8cx-282c | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.