CVE-2024-30036

Improper Resolution of Path Equivalence (CWE-41)

Published: May 14, 2024

010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard

Summary

This vulnerability is an information disclosure vulnerability in Windows Deployment Services. An attacker who successfully exploited this vulnerability could access sensitive information. It is classified as a Windows Deployment Services Information Disclosure Vulnerability and is associated with CWE-41: Improper Resolution of Path Equivalence.

Impact

Successful exploitation of this vulnerability could allow an unauthenticated attacker to disclose potentially sensitive information over the network. The attacker would be able to access this information remotely without requiring user interaction. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity. The CVSS vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) shows that it has a network attack vector, low attack complexity, requires low privileges, needs no user interaction, and has a high impact on confidentiality but no impact on integrity or availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Microsoft has released a security update to address this vulnerability. Refer to the Microsoft advisory at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30036 for patching details specific to your software versions. The patch was added on May 14, 2024.

Mitigation

As a mitigation, apply the latest security updates from Microsoft that address CVE-2024-30036. Restrict network access to the Windows Deployment Services and only allow it from trusted networks and sources.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

CVSS

A CVSS base score of 6.5 has been assigned.

May 14, 2024 at 5:00 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-30036. See article

May 14, 2024 at 5:03 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

May 14, 2024 at 5:05 PM
CVE Assignment

NVD published the first details for CVE-2024-30036

May 14, 2024 at 5:17 PM
Trending

This CVE started to trend in security discussions

May 15, 2024 at 12:48 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379811)

May 15, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.3%)

May 15, 2024 at 9:25 AM
Trending

This CVE stopped trending in security discussions

May 15, 2024 at 8:39 PM
Trending

This CVE started to trend in security discussions

May 17, 2024 at 6:13 PM
Static CVE Timeline Graph

Patches

Microsoft
+null more

Attack Patterns

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
+null more

News

信息安全漏洞周报(2024年第21期)
点击蓝字 关注我们根据国家信息安全漏洞库(CNNVD)统计,本周(2024年5月13日至2024年5月19日) […]
Government issues ‘important’ advisory for Windows, Office and other Microsoft products - The Times of India
According to the report, “Multiple vulnerabilities have been reported in Microsoft Products, which could allow an attacker to gain elevated privileges, obtain sensitive information, conduct remote code execution attacks, bypass security restrictions, conduct spoofing attacks, conduct tampering attacks, or cause denial of service conditions.” In the latest post, the government body has reported finding multiple vulnerabilities in Microsoft products and classified them as ‘High’ severity.
May 2024 Patch Tuesday: Microsoft and VMware Fix Zero-Day Exploits
Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No mayday call necessary for the year’s fifth Patch Tuesday – Source: news.sophos.com
Windows as usual takes the lion’s share of patches with 48, with the rest spread among .NET, 365 Apps for Enterprise, Azure, Bing Search for iOS, Dynamics 365, Intune, Office, Power BI, SharePoint, and Visual Studio. In addition to these patches, the release includes advisory information on six patches related to the Edge browser; two related to Visual Studio but managed by GitHub, not Microsoft; and four from Adobe.
Sviluppatore di Tornado Cash condannato a 64 mesi
Tempo di lettura: 2 minuti. Alexey Pertsev, uno dei principali sviluppatori del mixer di criptovalute Tornado Cash , è stato condannato a 64 mesi di prigione per aver contribuito a riciclare oltre 2 miliardi di dollari in criptovalute. La sentenza riflette la crescente pressione delle autorità legali contro le piattaforme che possono essere utilizzate per attività illecite. Il caso di Tornado Cash Tornado Cash è una piattaforma decentralizzata e open-source che era intesa a fornire anonimato ai possessori di criptovalute. La piattaforma funzionava accettando depositi e trasferendo gli asset tra numerosi nodi di servizio prima di consentire il prelievo a un indirizzo di portafoglio diverso da quello originale. Questo metodo è stato utilizzato da criminali informatici per nascondere l’origine dei fondi e riciclare grandi somme da attività illegali, incluso il noto gruppo di hacker nordcoreano Lazarus. Implicazioni legali e azioni delle Autorità Nel 2022, il Dipartimento del Tesoro degli Stati Uniti ha sanzionato la piattaforma, e nel 2023, il Dipartimento di Giustizia degli Stati Uniti ha incriminato due dei fondatori per cospirazione di riciclaggio di denaro e violazione dell’International Economic Emergency Powers Act. Queste azioni sottolineano la determinazione delle autorità di combattere il riciclaggio di denaro attraverso tecnologie che offrono elevati livelli di anonimato. Difesa e la Sentenza Pertsev ha affermato che il suo obiettivo era solo di fornire privacy alla comunità delle criptovalute e non di facilitare operazioni criminali.
See 35 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI