CVE-2024-22464

Dell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Service Pack releases, contain an exposure of sensitive information vulnerability in AppSync server logs. A high privileged remote attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities	Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dell:emc_appsync:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:56

Type	Values Removed	Values Added
References	~~() https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities - Vendor Advisory~~	() https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.8~~	v2 : unknown v3 : 6.2

15 Feb 2024, 05:03

Type	Values Removed	Values Added
First Time		Dell emc Appsync Dell
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.8
CWE		CWE-532
CPE		cpe:2.3:a:dell:emc_appsync::::::::
References	~~() https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities -~~	() https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities - Vendor Advisory

08 Feb 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-08 10:15

Updated : 2024-11-21 08:56

NVD link : CVE-2024-22464

Mitre link : CVE-2024-22464

CVE.ORG link : CVE-2024-22464

JSON object : View

Products Affected

dell

emc_appsync

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2024-22464", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2024-02-08T10:15:14.183", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000221932/dsa-2024-072-security-update-for-dell-emc-appsync-for-vulnerabilities", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "\nDell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Service Pack releases, contain an exposure of sensitive information vulnerability in AppSync server logs. A high privileged remote attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.\n\n"}, {"lang": "es", "value": "Dell EMC AppSync, versiones de 4.2.0.0 a 4.6.0.0, incluidas todas las versiones de Service Pack, contienen una exposici\u00f3n de vulnerabilidad de informaci\u00f3n confidencial en los registros del servidor de AppSync. Un atacante remoto con privilegios elevados podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la divulgaci\u00f3n de determinadas credenciales de usuario. Es posible que el atacante pueda utilizar las credenciales expuestas para acceder al sistema vulnerable con los privilegios de la cuenta comprometida."}], "lastModified": "2024-11-21T08:56:20.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_appsync:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "211F1F23-7FBD-4708-AB79-BE2A94763FC0", "versionEndExcluding": "4.6.0.2", "versionStartIncluding": "4.2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}