CVE-2024-34162

The web interface of the affected devices is designed to hide the LDAP credentials even for administrative users. But configuring LDAP authentication to "SIMPLE", the device communicates with the LDAP server in clear-text. The LDAP password can be retrieved from this clear-text communication. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://global.sharp/products/copier/info/info_security_2024-05.html
https://jp.sharp/business/print/information/info_security_2024-05.html
https://jvn.jp/en/vu/JVNVU93051062/
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
https://www.toshibatec.co.jp/information/20240531_02.html
https://www.toshibatec.com/information/20240531_02.html

Configurations

No configuration.

History

No history.

Information

Published : 2024-11-26 08:15

Updated : 2024-11-26 08:15

NVD link : CVE-2024-34162

Mitre link : CVE-2024-34162

CVE.ORG link : CVE-2024-34162

JSON object : View

Products Affected

No product.

CWE

CWE-767

Access to Critical Private Variable via Public Method

{"id": "CVE-2024-34162", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-26T08:15:06.123", "references": [{"url": "https://global.sharp/products/copier/info/info_security_2024-05.html", "source": "vultures@jpcert.or.jp"}, {"url": "https://jp.sharp/business/print/information/info_security_2024-05.html", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/vu/JVNVU93051062/", "source": "vultures@jpcert.or.jp"}, {"url": "https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.toshibatec.co.jp/information/20240531_02.html", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.toshibatec.com/information/20240531_02.html", "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "vultures@jpcert.or.jp", "description": [{"lang": "en", "value": "CWE-767"}]}], "descriptions": [{"lang": "en", "value": "The web interface of the affected devices is designed to hide the LDAP credentials even for administrative users. But configuring LDAP authentication to \"SIMPLE\", the device communicates with the LDAP server in clear-text. The LDAP password can be retrieved from this clear-text communication. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]."}, {"lang": "es", "value": "La interfaz web de los dispositivos afectados est\u00e1 dise\u00f1ada para ocultar las credenciales LDAP incluso para los usuarios administrativos. Pero al configurar la autenticaci\u00f3n LDAP en \"SIMPLE\", el dispositivo se comunica con el servidor LDAP en texto sin formato. La contrase\u00f1a LDAP se puede recuperar a partir de esta comunicaci\u00f3n en texto sin formato. En cuanto a los detalles de los nombres de los productos afectados, los n\u00fameros de modelo y las versiones, consulte la informaci\u00f3n proporcionada por los respectivos proveedores que se enumeran en [Referencias]."}], "lastModified": "2024-11-26T08:15:06.123", "sourceIdentifier": "vultures@jpcert.or.jp"}