GHSA-WJMJ-H3XC-HXP8
Vulnerability from github – Published: 2024-06-06 22:58 – Updated: 2024-10-31 22:24
VLAI
Summary
Generation of Error Message Containing Sensitive Information in zsa
Details
Impact
All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure.
Patches
Yes, this has been pathed on 0.3.3
Workarounds
No way to fix other than the patch.
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "zsa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37162"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-06T22:58:46Z",
"nvd_published_at": "2024-06-07T15:15:50Z",
"severity": "MODERATE"
},
"details": "### Impact\nAll users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure.\n\n### Patches\nYes, this has been pathed on `0.3.3`\n\n### Workarounds\nNo way to fix other than the patch.\n",
"id": "GHSA-wjmj-h3xc-hxp8",
"modified": "2024-10-31T22:24:07Z",
"published": "2024-06-06T22:58:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/IdoPesok/zsa/security/advisories/GHSA-wjmj-h3xc-hxp8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37162"
},
{
"type": "WEB",
"url": "https://github.com/IdoPesok/zsa/commit/86b86b282bde6780963f62406cc8bc65f2c86f3a"
},
{
"type": "PACKAGE",
"url": "https://github.com/IdoPesok/zsa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Generation of Error Message Containing Sensitive Information in zsa"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…