Filtered by vendor Delinea
Subscribe
Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25650 | 1 Delinea | 2 Distributed Engine, Secret Server | 2025-05-01 | N/A | 5.9 MEDIUM |
| Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted payloads to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This makes it possible for a PAM administrator to impersonate the Engine and exfiltrate sensitive information from the messages published in the RabbitMQ exchanges, without being audited in the application. | |||||
| CVE-2024-25649 | 1 Delinea | 1 Secret Server | 2025-04-30 | N/A | 6.7 MEDIUM |
| In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies. | |||||
| CVE-2024-25652 | 1 Delinea | 1 Secret Server | 2025-04-30 | N/A | 9.8 CRITICAL |
| In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users. | |||||
| CVE-2024-5866 | 1 Delinea | 1 Privileged Access Service | 2024-11-21 | N/A | 5.0 MEDIUM |
| Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing listing of arbitrary directory outside the root directory of the web application. Versions 23.1-HF7 and on have the patch. | |||||
| CVE-2024-5865 | 1 Delinea | 1 Privileged Access Service | 2024-11-21 | N/A | 7.7 HIGH |
| Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing arbitrary files reading outside the web publish directory. Versions 23.1-HF7 and on have the patch. | |||||
| CVE-2023-4589 | 1 Delinea | 1 Secret Server | 2024-11-21 | N/A | 9.1 CRITICAL |
| Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update. | |||||
| CVE-2023-4588 | 1 Delinea | 1 Secret Server | 2024-11-21 | N/A | 6.8 MEDIUM |
| File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text. | |||||