Improper Resolution of Path Equivalence (CWE-41)
This vulnerability is an information disclosure vulnerability in Windows Deployment Services. An attacker who successfully exploited this vulnerability could access sensitive information. It is classified as a Windows Deployment Services Information Disclosure Vulnerability and is associated with CWE-41: Improper Resolution of Path Equivalence.
Successful exploitation of this vulnerability could allow an unauthenticated attacker to disclose potentially sensitive information over the network. The attacker would be able to access this information remotely without requiring user interaction. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity. The CVSS vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) shows that it has a network attack vector, low attack complexity, requires low privileges, needs no user interaction, and has a high impact on confidentiality but no impact on integrity or availability.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Microsoft has released a security update to address this vulnerability. Refer to the Microsoft advisory at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30036 for patching details specific to your software versions. The patch was added on May 14, 2024.
As a mitigation, apply the latest security updates from Microsoft that address CVE-2024-30036. Restrict network access to the Windows Deployment Services and only allow it from trusted networks and sources.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
A CVSS base score of 6.5 has been assigned.
Feedly found the first article mentioning CVE-2024-30036. See article
Feedly estimated the CVSS score as MEDIUM
NVD published the first details for CVE-2024-30036
This CVE started to trend in security discussions
Detection for the vulnerability has been added to Qualys (379811)
EPSS Score was set to: 0.05% (Percentile: 17.3%)
This CVE stopped trending in security discussions
This CVE started to trend in security discussions