PT-2024-27346 · Zsa · Zsa
Published
2024-06-06
·
Updated
2024-10-31
·
CVE-2024-37162
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
zsa versions prior to 0.3.3
Description
The zsa application transfers the parse error stack from the server to the client in production build mode, potentially revealing sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this to gain unauthorized access to sensitive server information, which could be used to plan further attacks or gain a deeper understanding of the server infrastructure. All users are impacted.
Recommendations
For versions prior to 0.3.3, update to version 0.3.3 to resolve the issue. As a temporary workaround, consider restricting access to sensitive server information until the update is applied.
Exploit
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zsa