CVE-2024-49399
Missing Authentication for Critical Function (CWE-306)
Published: Oct 17, 2024 / Updated: 33d ago

010

CVSS 8.7EPSS 0.04%High

CVE info copied to clipboard

Summary

The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information. This vulnerability is related to Missing Authentication for Critical Function (CWE-306).

Impact

This vulnerability allows an attacker to execute commands without authentication, potentially leading to information leakage. The attack vector is through the network, with low attack complexity and no user interaction required. The main impact is on the confidentiality of the vulnerable system, which is rated as HIGH. There is no direct impact on the integrity or availability of the system. The vulnerability has a CVSS v4 base score of 8.7, which is considered HIGH severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability data provided does not mention any specific patch information. It's crucial for the security team to check with the vendor for the latest security updates or patches addressing this vulnerability.

Mitigation

While waiting for a patch, consider the following mitigation strategies: 1. Implement strong network segmentation to limit access to the affected systems. 2. Use a properly configured firewall to restrict incoming network traffic to trusted sources only. 3. If possible, disable the affected command functionality until a patch is available. 4. Implement additional authentication layers or compensating controls to protect critical functions. 5. Monitor systems for any suspicious activities or unauthorized access attempts. 6. Keep all systems and software up to date with the latest security patches. 7. Conduct a thorough review of system configurations to ensure proper authentication is in place for all critical functions.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-49399. See article

Oct 17, 2024 at 4:28 PM / Cybersecurity and Infrastructure Security Agency CISA

Threat Intelligence Report

CVE-2024-49399 is a vulnerability with a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7, indicating a significant level of criticality. The details provided do not specify whether it is being exploited in the wild, nor do they mention any proof-of-concept exploits, mitigations, detections, patches, or downstream impacts to third-party vendors or technology. Further investigation would be necessary to assess the full scope and implications of this vulnerability. See article

Oct 17, 2024 at 4:28 PM

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 17, 2024 at 4:44 PM

CVE Assignment

NVD published the first details for CVE-2024-49399

Oct 17, 2024 at 5:15 PM

CVSS

A CVSS base score of 8.7 has been assigned.

Oct 17, 2024 at 5:20 PM / nvd

EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)