Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-3046

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]

Published

2024-04-09T10:15:08.600

Last Modified

2025-02-06T18:07:07.747

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-303
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	eclipse	kura	≤ 5.4.1	Yes

References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 Issue Tracking, Vendor Advisory ([email protected])
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)