CVE-2024-48931

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitrary file reading due to improper input validation. By manipulating the `files` parameter, authenticated users can read sensitive system files, including `/etc/shadow`, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the `files` parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-hjw2-9gq5-qgwj	Exploit Vendor Advisory
https://youtu.be/FyIfcmCyDXs	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:zimaspace:zimaos:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-24 21:15

Updated : 2024-11-06 15:46

NVD link : CVE-2024-48931

Mitre link : CVE-2024-48931

CVE.ORG link : CVE-2024-48931

JSON object : View

Products Affected

zimaspace

zimaos

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-48931", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-10-24T21:15:14.580", "references": [{"url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-hjw2-9gq5-qgwj", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://youtu.be/FyIfcmCyDXs", "tags": ["Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitrary file reading due to improper input validation. By manipulating the `files` parameter, authenticated users can read sensitive system files, including `/etc/shadow`, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the `files` parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "ZimaOS es una bifurcaci\u00f3n de CasaOS, un sistema operativo para dispositivos Zima y sistemas x86-64 con UEFI. En la versi\u00f3n 1.2.4 y todas las versiones anteriores, el endpoint de la API de ZimaOS `http:///v3/file?token=&files=` es vulnerable a la lectura arbitraria de archivos debido a una validaci\u00f3n de entrada incorrecta. Al manipular el par\u00e1metro `files`, los usuarios autenticados pueden leer archivos confidenciales del sistema, incluido `/etc/shadow`, que contiene hashes de contrase\u00f1as para todos los usuarios. Esta vulnerabilidad expone datos cr\u00edticos del sistema y plantea un alto riesgo de escalada de privilegios o compromiso del sistema. La vulnerabilidad se produce porque el endpoint de la API no valida ni restringe las rutas de archivo proporcionadas a trav\u00e9s del par\u00e1metro `files`. Un atacante puede explotar esto manipulando la ruta del archivo para acceder a archivos confidenciales fuera del directorio previsto. Al momento de la publicaci\u00f3n, no hay versiones parcheadas conocidas disponibles."}], "lastModified": "2024-11-06T15:46:23.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zimaspace:zimaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90AF6DD7-39AC-4647-9446-C4720FA2A721", "versionEndExcluding": "1.2.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}