Kurmi Provisioning Suite up to 7.9.0.34/7.10.0.18/7.11.0.15 unlogged.do sendPasswordReinitLink information exposure

Summaryinfo

A vulnerability classified as problematic has been found in Kurmi Provisioning Suite up to 7.9.0.34/7.10.0.18/7.11.0.15. Affected by this issue is the function sendPasswordReinitLink of the file unlogged.do. The manipulation leads to information exposure. This vulnerability is documented as CVE-2024-54454. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Kurmi Provisioning Suite up to 7.9.0.34/7.10.0.18/7.11.0.15. This issue affects the function sendPasswordReinitLink of the file unlogged.do. The manipulation with an unknown input leads to a information exposure vulnerability. Using CWE to declare the problem leads to CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Impacted is confidentiality. The summary by CVE is:

An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames.

It is possible to read the advisory at kurmi-software.com. The identification of this vulnerability is CVE-2024-54454 since 12/02/2024. The exploitation is known to be difficult. The attack may be initiated remotely. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-52568). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• Kurmi

Name

• Provisioning Suite

Version

• 7.9.0.0
• 7.9.0.1
• 7.9.0.2
• 7.9.0.3
• 7.9.0.4
• 7.9.0.5
• 7.9.0.6
• 7.9.0.7
• 7.9.0.8
• 7.9.0.9
• 7.9.0.10
• 7.9.0.11
• 7.9.0.12
• 7.9.0.13
• 7.9.0.14
• 7.9.0.15
• 7.9.0.16
• 7.9.0.17
• 7.9.0.18
• 7.9.0.19
• 7.9.0.20
• 7.9.0.21
• 7.9.0.22
• 7.9.0.23
• 7.9.0.24
• 7.9.0.25
• 7.9.0.26
• 7.9.0.27
• 7.9.0.28
• 7.9.0.29
• 7.9.0.30
• 7.9.0.31
• 7.9.0.32
• 7.9.0.33
• 7.9.0.34
• 7.10.0.0
• 7.10.0.1
• 7.10.0.2
• 7.10.0.3
• 7.10.0.4
• 7.10.0.5
• 7.10.0.6
• 7.10.0.7
• 7.10.0.8
• 7.10.0.9
• 7.10.0.10
• 7.10.0.11
• 7.10.0.12
• 7.10.0.13
• 7.10.0.14
• 7.10.0.15
• 7.10.0.16
• 7.10.0.17
• 7.10.0.18
• 7.11.0.0
• 7.11.0.1
• 7.11.0.2
• 7.11.0.3
• 7.11.0.4
• 7.11.0.5
• 7.11.0.6
• 7.11.0.7
• 7.11.0.8
• 7.11.0.9
• 7.11.0.10
• 7.11.0.11
• 7.11.0.12
• 7.11.0.13
• 7.11.0.14
• 7.11.0.15

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion