CVE-2024-4692

Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools allows Exploiting Incorrectly Configured Access Control Security Levels. Multiple missing permission checks - Service Virtualization config has been discovered in in OpenText Application Automation Tools. The vulnerability could allow users with Overall/Read permission to enumerate Service Virtualization server names. This issue affects OpenText Application Automation Tools: 24.1.0 and below.

CVSS v3 2.4 LOW

2.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://portal.microfocus.com/s/article/KM000033546?language=en_US	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:microfocus:application_automation_tools:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2024-10-16 17:15

Updated : 2024-10-21 16:10

NVD link : CVE-2024-4692

Mitre link : CVE-2024-4692

CVE.ORG link : CVE-2024-4692

JSON object : View

Products Affected

microfocus

application_automation_tools

CWE

CWE-280

Improper Handling of Insufficient Permissions or Privileges

NVD-CWE-noinfo

{"id": "CVE-2024-4692", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@opentext.com", "cvssData": {"safety": "NEGLIGIBLE", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 1.8, "automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:X/V:X/RE:L/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-16T17:15:17.873", "references": [{"url": "https://portal.microfocus.com/s/article/KM000033546?language=en_US", "tags": ["Vendor Advisory"], "source": "security@opentext.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-280"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools allows Exploiting Incorrectly Configured Access Control Security Levels.\n\n\nMultiple missing permission checks - Service Virtualization config has been discovered in in OpenText Application Automation Tools. The vulnerability could allow users with Overall/Read permission to enumerate Service Virtualization server names.\n\nThis issue affects OpenText Application Automation Tools: 24.1.0 and below."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n incorrecta de la cantidad especificada en la entrada en OpenText Las herramientas de automatizaci\u00f3n de aplicaciones de OpenText permiten explotar niveles de seguridad de control de acceso configurados incorrectamente. Se han descubierto m\u00faltiples comprobaciones de permisos faltantes en la configuraci\u00f3n de Service Virtualization en las herramientas de automatizaci\u00f3n de aplicaciones de OpenText. La vulnerabilidad podr\u00eda permitir que los usuarios con permiso general/de lectura enumeren los nombres de los servidores de Service Virtualization. Este problema afecta a las herramientas de automatizaci\u00f3n de aplicaciones de OpenText: 24.1.0 y anteriores."}], "lastModified": "2024-10-21T16:10:14.873", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:application_automation_tools:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "D899757D-1EEB-4A7C-9842-F3BF6F3B1D09", "versionEndExcluding": "24.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}