CVE-2018-10465

Name of the Vulnerable Software and Affected Versions: Jamf Pro versions prior to 10.3.0

Description: The issue concerns incorrect access control, where Jamf Pro user accounts and groups with login access to Jamf Pro have full access to endpoints in the Universal API (UAPI), regardless of their privileges. This allows an authenticated account without required privileges to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, potentially leading to unauthorized information disclosure, compromised data integrity, and data loss. The available UAPI endpoints and associated CRUD actions can be found at the "/uapi/doc" endpoint in a Jamf Pro instance.

Recommendations: For Jamf Pro versions prior to 10.3.0, update to version 10.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the UAPI endpoints to minimize the risk of exploitation. Avoid using accounts without required privileges to access the UAPI until the issue is resolved.