{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-9802","assignerOrgId":"b1336bef-059d-4e13-b11b-9a6ef21b3c78","state":"PUBLISHED","assignerShortName":"Zowe","dateReserved":"2024-10-10T07:41:03.236Z","datePublished":"2024-10-10T07:41:03.374Z","dateUpdated":"2024-10-10T14:22:43.244Z"},"containers":{"cna":{"title":"Conformance validation endpoint discloses detail about service to unauthenticated users","affected":[{"vendor":"Open Mainframe Project","product":"Zowe","versions":[{"version":"2.11.0","status":"affected","lessThan":"2.17.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running."}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C"}}],"solutions":[{"lang":"en","value":"There is a fix since version 2.17.0, authentication is required for the endpoints."}],"workarounds":[{"lang":"en","value":"No workaround is available."}],"exploits":[{"lang":"en","value":"There are no known exploits of this issue however exploits targeting this issue are publicly available."}],"credits":[{"lang":"en","value":"Pablo Hernan Carle","type":"finder"},{"lang":"en","value":"Pavel Jareš","type":"finder"}],"providerMetadata":{"orgId":"b1336bef-059d-4e13-b11b-9a6ef21b3c78","shortName":"Zowe","dateUpdated":"2024-10-10T07:41:03.374Z"},"references":[{"tags":["product"],"url":"https://github.com/zowe/api-layer"}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-312","lang":"en","description":"CWE-312 Cleartext Storage of Sensitive Information"}]}],"affected":[{"vendor":"linuxfoundation","product":"zowe_api_mediation_layer","cpes":["cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"2.11.0","status":"affected","lessThan":"2.17.0","versionType":"semver"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-10T13:45:19.081095Z","id":"CVE-2024-9802","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-10T14:22:43.244Z"}}]}}