CVE-2024-21545

Name of the Vulnerable Software and Affected Versions Proxmox Virtual Environment versions 8.2.2 and earlier

Description The issue is related to insufficient safeguards against malicious API response values in Proxmox Virtual Environment, allowing authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. This can result in arbitrary file read, potentially leading to full compromise of the system by disclosing sensitive files and allowing for privileged session forgery. Two endpoints were identified that can control the object returned by a request handler, allowing for the 'download' object to be defined and user-controlled.

Recommendations For Proxmox Virtual Environment version 8.2.2, consider disabling the handle api2 request function until a patch is available to prevent arbitrary file read. Restrict access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using the download object in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.