PT-2024-21070 · Avsystem · Avsystem Unified Management Platform

Published

2024-03-18

Updated

2025-03-14

CVE-2024-25654

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions AVSystem Unified Management Platform (UMP) version 23.07.0.16567~LTS

Description The issue is related to insecure permissions for log files, allowing members with local access to the application server to access credentials for authentication to all services and decrypt sensitive data stored in the database.

Recommendations For AVSystem Unified Management Platform (UMP) version 23.07.0.16567~LTS, consider restricting local access to the UMP application server and reviewing log file permissions to minimize the risk of exploitation. As a temporary workaround, restrict access to sensitive data stored in the database until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Incorrect Default Permissions

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-532

Related Identifiers

CVE-2024-25654

Affected Products

Avsystem Unified Management Platform

PT-2024-21070 · Avsystem · Avsystem Unified Management Platform

CVE-2024-25654

Weakness Enumeration

Related Identifiers

Affected Products

References · 6