SB2025022430 - Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM)
Published: February 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-39338)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-22020)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-22018)
The vulnerability allows a remote user to bypass permissions model.
The vulnerability exists due to application does not properly impose security restrictions when experimental permission model when the --allow-fs-read flag is used. A remote user can retrieve stats from files that they do not have explicit read access to.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-36137)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to application does not properly impose security restrictions in the experimental permission model when the --allow-fs-write flag is used. A remote user can change file ownership and permissions via fs.fchown and fs.fchmod.
Remediation
Install update from vendor's website.