Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for ngrinder by naver

    CVE-2024-28216 (GCVE-0-2024-28216)

    Vulnerability from nvd – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:17
    VLAI
    Summary
    nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.603Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28216.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28216",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T16:41:17.619047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T19:42:34.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:17:45.466Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28216.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28216",
        "datePublished": "2024-03-07T04:50:15.338Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-09-06T04:17:45.466Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28215 (GCVE-0-2024-28215)

    Vulnerability from nvd – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:15
    VLAI
    Summary
    nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28215.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28215",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T18:35:15.864891Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T20:18:55.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:15:12.049Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28215.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28215",
        "datePublished": "2024-03-07T04:50:08.422Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-09-06T04:15:12.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28214 (GCVE-0-2024-28214)

    Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-11-08 17:07
    VLAI
    Summary
    nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28214.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28214",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T16:46:08.193153Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-08T17:07:55.690Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-405",
                  "description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:12:38.448Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28214.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28214",
        "datePublished": "2024-03-07T04:49:57.531Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-11-08T17:07:55.690Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28213 (GCVE-0-2024-28213)

    Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-22 20:01
    VLAI
    Summary
    nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28213.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T18:59:00.791879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-22T20:01:34.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28213.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28213",
        "datePublished": "2024-03-07T04:49:47.237Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-08-22T20:01:34.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28212 (GCVE-0-2024-28212)

    Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-12 19:41
    VLAI
    Summary
    nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28212.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T19:41:37.787067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T19:41:41.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28212.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28212",
        "datePublished": "2024-03-07T04:49:37.921Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-08-12T19:41:41.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28211 (GCVE-0-2024-28211)

    Vulnerability from nvd – Published: 2024-03-07 04:49 – Updated: 2024-08-05 20:05
    VLAI
    Summary
    nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.646Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28211.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-05T20:03:53.607719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-05T20:05:34.960Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28211.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28211",
        "datePublished": "2024-03-07T04:49:21.951Z",
        "dateReserved": "2024-03-07T02:38:58.220Z",
        "dateUpdated": "2024-08-05T20:05:34.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5060 (GCVE-0-2016-5060)

    Vulnerability from nvd – Published: 2016-12-13 22:00 – Updated: 2024-08-06 00:46
    VLAI
    Summary
    Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-05-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:46:40.273Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
              },
              {
                "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/naver/ngrinder/issues/103"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-05-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-12-13T21:57:01.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
            },
            {
              "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/naver/ngrinder/issues/103"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2016-5060",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
                },
                {
                  "name": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
                },
                {
                  "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
                },
                {
                  "name": "https://github.com/naver/ngrinder/issues/103",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/naver/ngrinder/issues/103"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2016-5060",
        "datePublished": "2016-12-13T22:00:00.000Z",
        "dateReserved": "2016-05-26T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:46:40.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28216 (GCVE-0-2024-28216)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:17
    VLAI
    Summary
    nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.603Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28216.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28216",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T16:41:17.619047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T19:42:34.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:17:45.466Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28216.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28216",
        "datePublished": "2024-03-07T04:50:15.338Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-09-06T04:17:45.466Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28215 (GCVE-0-2024-28215)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:50 – Updated: 2024-09-06 04:15
    VLAI
    Summary
    nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28215.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28215",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T18:35:15.864891Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T20:18:55.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:15:12.049Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28215.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28215",
        "datePublished": "2024-03-07T04:50:08.422Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-09-06T04:15:12.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28214 (GCVE-0-2024-28214)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-11-08 17:07
    VLAI
    Summary
    nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28214.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28214",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T16:46:08.193153Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-08T17:07:55.690Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-405",
                  "description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-06T04:12:38.448Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28214.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28214",
        "datePublished": "2024-03-07T04:49:57.531Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-11-08T17:07:55.690Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28213 (GCVE-0-2024-28213)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-22 20:01
    VLAI
    Summary
    nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28213.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-07T18:59:00.791879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-22T20:01:34.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28213.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28213",
        "datePublished": "2024-03-07T04:49:47.237Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-08-22T20:01:34.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28212 (GCVE-0-2024-28212)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-12 19:41
    VLAI
    Summary
    nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28212.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T19:41:37.787067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T19:41:41.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28212.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28212",
        "datePublished": "2024-03-07T04:49:37.921Z",
        "dateReserved": "2024-03-07T02:38:58.221Z",
        "dateUpdated": "2024-08-12T19:41:41.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28211 (GCVE-0-2024-28211)

    Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-08-05 20:05
    VLAI
    Summary
    nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    NAVER nGrinder Unaffected: 3.5.9
    Create a notification for this product.
    naver ngrinder Affected: 0 , < 3.5.9 (custom)
        cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Stöckli of GitHub Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:48:49.646Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "NAVER Security Advisory",
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cve.naver.com/detail/cve-2024-28211.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:naver:ngrinder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "ngrinder",
                "vendor": "naver",
                "versions": [
                  {
                    "lessThan": "3.5.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-05T20:03:53.607719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-05T20:05:34.960Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "nGrinder",
              "vendor": "NAVER",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.5.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peter St\u00f6ckli of GitHub Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T00:27:54.327Z",
            "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
            "shortName": "naver"
          },
          "references": [
            {
              "name": "NAVER Security Advisory",
              "url": "https://cve.naver.com/detail/cve-2024-28211.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
        "assignerShortName": "naver",
        "cveId": "CVE-2024-28211",
        "datePublished": "2024-03-07T04:49:21.951Z",
        "dateReserved": "2024-03-07T02:38:58.220Z",
        "dateUpdated": "2024-08-05T20:05:34.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5060 (GCVE-0-2016-5060)

    Vulnerability from cvelistv5 – Published: 2016-12-13 22:00 – Updated: 2024-08-06 00:46
    VLAI
    Summary
    Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-05-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:46:40.273Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
              },
              {
                "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/naver/ngrinder/issues/103"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-05-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-12-13T21:57:01.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
            },
            {
              "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/naver/ngrinder/issues/103"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2016-5060",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/naver/ngrinder/releases/tag/ngrinder-3.4-20160525"
                },
                {
                  "name": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/137469/nGrinder-3.3-Cross-Site-Scripting.html"
                },
                {
                  "name": "20160614 CVE-2016-5060 Stored Cross-Site Scripting vulnerability in nGrinder",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2016/Jun/23"
                },
                {
                  "name": "https://github.com/naver/ngrinder/issues/103",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/naver/ngrinder/issues/103"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2016-5060",
        "datePublished": "2016-12-13T22:00:00.000Z",
        "dateReserved": "2016-05-26T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:46:40.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }