CVE-2024-49357 Scanner
CVE-2024-49357 Scanner - Information Disclosure vulnerability in ZimaOS
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
20 days 9 hours
Scan only one
URL
Toolbox
ZimaOS is a fork of CasaOS, specifically designed for Zima devices and x86-64 systems with UEFI. It is an operating system utilized by developers and users who need a robust OS for these devices. ZimaOS offers a user-friendly interface and a suite of applications tailored for seamless integration. Its versatility and customization options make it a preferred choice in these environments. However, maintaining its security is crucial, given the sensitivity of systems it operates on.
The detected vulnerability in ZimaOS, specifically in versions up to 1.2.4, involves the unintended exposure of sensitive data through certain API endpoints. This information disclosure vulnerability does not require any authentication, allowing unrestricted access to critical data. Such vulnerabilities can pose significant risks if exploited by malicious actors. The lack of authorization checks exacerbates the severity, making it imperative to address this flaw promptly.
Technically, the vulnerability arises from API endpoints designed to serve sensitive information about the system and installed applications. Vulnerable endpoints include `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and similar paths that should be secured. These endpoints inadvertently allow any user to access detailed system configurations and application data without authentication or authorization. This unrestricted access can provide an attack vector for further intrusion activities.
If exploited, this vulnerability could allow attackers to gather significant intelligence about the target system. Such information can aid in planning further attacks, potentially allowing adversaries to exploit other vulnerabilities or gain more profound access. The exposure of system and app data might also lead to privacy breaches and compromise of sensitive data, affecting both personal and organizational security.
REFERENCES
