CVE-2024-49357

Name of the Vulnerable Software and Affected Versions ZimaOS versions 1.2.4 and earlier

Description The issue concerns the exposure of sensitive data through API endpoints, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, without requiring authentication or authorization. This allows attackers to gain detailed knowledge about the system setup, installed applications, and other critical information.

Recommendations For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.