CVE-2024-7265

Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert.pl/en/posts/2024/08/CVE-2024-7265/
https://cert.pl/posts/2024/08/CVE-2024-7265/
https://www.gov.pl/web/ezd-rp	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nask:ezd_rp::::::::
	cpe:2.3:a:nask:ezd_rp::::::::
	cpe:2.3:a:nask:ezd_rp::::::::

History

17 Mar 2025, 09:15

Type	Values Removed	Values Added
References	~~{'url': 'https://cert.pl/en/posts/2024/08/CVE-2023-7265/', 'tags': ['Broken Link'], 'source': 'cvd@cert.pl'}~~ ~~{'url': 'https://cert.pl/posts/2024/08/CVE-2023-7265/', 'tags': ['Broken Link'], 'source': 'cvd@cert.pl'}~~	() https://cert.pl/en/posts/2024/08/CVE-2024-7265/ - () https://cert.pl/posts/2024/08/CVE-2024-7265/ -

Information

Published : 2024-08-07 11:15

Updated : 2025-03-17 09:15

NVD link : CVE-2024-7265

Mitre link : CVE-2024-7265

CVE.ORG link : CVE-2024-7265

JSON object : View

Products Affected

nask

ezd_rp

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-7265", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-08-07T11:15:45.757", "references": [{"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265/", "source": "cvd@cert.pl"}, {"url": "https://cert.pl/posts/2024/08/CVE-2024-7265/", "source": "cvd@cert.pl"}, {"url": "https://www.gov.pl/web/ezd-rp", "tags": ["Product"], "source": "cvd@cert.pl"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2."}, {"lang": "es", "value": "La vulnerabilidad de administraci\u00f3n incorrecta de usuarios en Naukowa i Akademicka Sie? Komputerowa - Pa?stwowy Instytut Badawczy EZD RP permite que un usuario conectado cambie la contrase\u00f1a de cualquier usuario, incluido el usuario root, lo que podr\u00eda provocar una escalada de privilegios. Este problema afecta a EZD RP: desde la versi\u00f3n 15 hasta la 15.84, desde la versi\u00f3n 16 hasta la 16.15, desde la versi\u00f3n 17 hasta la 17.2."}], "lastModified": "2025-03-17T09:15:11.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B43D39E4-75AE-42D6-B206-A70B3CB9B538", "versionEndExcluding": "15.84", "versionStartIncluding": "15"}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C255177-BEAE-4B88-869C-57EBD3466ADD", "versionEndExcluding": "16.15", "versionStartIncluding": "16"}, {"criteria": "cpe:2.3:a:nask:ezd_rp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50DE01F5-72FE-4ECC-B117-3B4D5E15901C", "versionEndExcluding": "17.2", "versionStartIncluding": "17"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}