CVE-2024-2013

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Jun 11, 2024 / Updated: 5mo ago

010
CVSS 10EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server API Gateway component that allows attackers without any access to interact with the services and the post-authentication attack surface.

Impact

This vulnerability could allow an unauthorized attacker to gain access to sensitive systems and data behind the API Gateway. They may be able to execute unauthorized actions, view or modify data, and potentially move laterally within the network. The vulnerability has been assigned a CVSS v3.1 base score of 10.0, which is the highest possible severity. It affects confidentiality, integrity, and availability, all with HIGH impact. The attack vector is NETWORK, requires no user interaction, and can be executed with no privileges, indicating it's easily exploitable.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability description does not explicitly mention if a patch is available. However, given the critical severity of this vulnerability, it is likely that vendors will prioritize releasing patches to address this authentication bypass as soon as possible.

Mitigation

Until a patch is available, apply compensating controls such as network segmentation, restricting access to the API Gateway, enabling multi-factor authentication, monitoring for suspicious activity, and following the principle of least privilege. Update the affected software as soon as patches are released.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-2013. See article

Jun 11, 2024 at 2:08 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 11, 2024 at 2:08 PM
CVE Assignment

NVD published the first details for CVE-2024-2013

Jun 11, 2024 at 2:15 PM
CVSS

A CVSS base score of 10 has been assigned.

Jun 11, 2024 at 2:21 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.9%)

Jun 12, 2024 at 1:34 PM
Static CVE Timeline Graph

Affected Systems

Hitachienergy/unem
+null more

Patches

publisher.hitachienergy.com
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

News

US-CERT Vulnerability Summary for the Week of June 10, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024 bjackson Jun 17, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info actpro -- extra_product_options_for_woocommerce Missing Authorization vulnerability in actpro Extra Product Options for WooCommerce.This issue affects Extra Product Options for WooCommerce: from n/a through 3.0.6. 2024-06-10 8.8 CVE-2024-35727 audit@patchstack.com adfinis--document-merge-service Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed. 2024-06-11 9.9 CVE-2024-37301 security-advisories@github.com security-advisories@github.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. 2024-06-13 9.8 CVE-2024-34102 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but admin privileges are required 2024-06-13 9.1 CVE-2024-34108 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 24 - SANS Institute
Product: ProjectDiscovery Interactsh CVSS Score: 9.8 NVD: NVD References: - - CVE-2024-4295 - The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection in versions up to 5.7.20, allowing unauthenticated attackers to extract sensitive information from the database. Product: Zyxel NAS326 CVSS Score: 9.8 NVD: NVD References: - - CVE-2024-4552 - The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass through social login, allowing unauthenticated attackers to log in as any existing user on the site, up to version 1.6.0.
CVE-2024-2013 - An authentication bypass vulnerability exists in t
CVE ID : CVE-2024-2013 Published : June 11, 2024, 2:15 p.m. 12 hours, 59 minutes ago Description : An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface. Severity: 10.0 CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI