CVE-2024-53275

{"id": "CVE-2024-53275", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.3, "automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-12-23T18:15:07.143", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-091_GHSL-2024-092_home-gallery/", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-350"}]}], "descriptions": [{"lang": "en", "value": "Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, the default setup of home-gallery is vulnerable to DNS rebinding. Home-gallery is set up without TLS and user authentication by default, leaving it vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit their website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the home-gallery instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the web server after the IP address has changed. When the attacker domain is fetched, the response will be from the home-gallery instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, home-gallery photos can then be extracted by the attacker website."}, {"lang": "es", "value": "Home-Gallery.org es una galer\u00eda web autohospedada de c\u00f3digo abierto para explorar fotograf\u00edas y v\u00eddeos personales. En 1.15.0 y versiones anteriores, la configuraci\u00f3n predeterminada de la galer\u00eda de inicio es vulnerable a la nueva vinculaci\u00f3n de DNS. La galer\u00eda de inicio est\u00e1 configurada sin TLS ni autenticaci\u00f3n de usuario de forma predeterminada, lo que la deja vulnerable a la nueva vinculaci\u00f3n de DNS. En este ataque, un atacante pedir\u00e1 al usuario que visite su sitio web. Luego, el sitio web del atacante cambiar\u00e1 los registros DNS de su dominio de su direcci\u00f3n IP a la direcci\u00f3n IP interna de la instancia de la galer\u00eda de inicio. Para saber qu\u00e9 direcciones IP son v\u00e1lidas, podemos volver a vincular un subdominio a cada direcci\u00f3n IP que queramos verificar y ver si hay una respuesta. Una vez que se han encontrado candidatos potenciales, el atacante puede lanzar el ataque leyendo la respuesta del servidor web despu\u00e9s de que la direcci\u00f3n IP haya cambiado. Cuando se recupera el dominio del atacante, la respuesta ser\u00e1 de la instancia de la galer\u00eda de inicio, no del sitio web del atacante, porque se cambi\u00f3 la direcci\u00f3n IP. Debido a la falta de autenticaci\u00f3n, el sitio web del atacante puede extraer las fotos de la galer\u00eda de inicio."}], "lastModified": "2025-02-18T22:15:12.430", "sourceIdentifier": "security-advisories@github.com"}