Products
FOG
- 1.5.10.41.4 and earlier
Source
security-advisories@github.com
Tags
CVE-2024-42349 details
Published : Aug. 2, 2024, 8:17 p.m.
Last Modified : Aug. 2, 2024, 8:17 p.m.
Last Modified : Aug. 2, 2024, 8:17 p.m.
Description
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.4 and earlier can leak authorized and rejected logins via logs stored directly on the root of the web server. FOG Server creates 2 logs on the root of the web server (fog_login_accepted.log and fog_login_failed.log), exposing the name of the user account used to manage FOG, the IP address of the computer used to login and the User-Agent. This vulnerability is fixed in 1.5.10.47.
CVSS Score
| 1 | 2 | 3 | 4 | 5.3 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-532 | Insertion of Sensitive Information into Log File | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
5.3
Exploitability Score
3.9
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
| URL | Source |
|---|---|
| https://github.com/FOGProject/fogproject/security/advisories/GHSA-697m-3c4p-g29h | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.