CVE-2024-12908

Name of the Vulnerable Software and Affected Versions Delinea Secret Server version 11.7.31 (protocol handler version 6.0.3.26)

Description The issue arises from the comparison of URI's before normalization and canonicalization within the protocol handler function, potentially leading to over matching against the approved list. If successfully exploited, a remote attacker may convince a user to visit a malicious web-page or open a malicious document, triggering the vulnerable handler and allowing arbitrary code execution on the user's machine. Delinea added validation to ensure the downloaded installer's batch file is in the expected format.

Recommendations For Delinea Secret Server version 11.7.31, consider disabling the protocol handler function until a patch is available to prevent potential exploitation. As a temporary workaround, restrict access to the protocol handler to minimize the risk of arbitrary code execution. Avoid using the vulnerable protocol handler to handle URI's until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.