CVE-2024-3046

Name of the Vulnerable Software and Affected Versions Eclipse Kura versions 5.0.0 through 5.4.1 org.eclipse.kura:org.eclipse.kura.web2 versions 2.0.600 through 2.4.0

Description A specifically crafted request to the LogServlet component can allow an unauthenticated user to retrieve the device logs. The downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

Recommendations For Eclipse Kura versions 5.0.0 through 5.4.1, update to version 5.4.2 to resolve the issue. For org.eclipse.kura:org.eclipse.kura.web2 versions 2.0.600 through 2.4.0, update to a version that is not included in the affected range, as the specific fixed version for this component is not provided. As a temporary workaround, consider restricting access to the LogServlet component until a patch is available.