|
[Japanese]
|
JVNDB-2024-000032
|
Multiple vulnerabilities in FitNesse
|
|
FitNesse contains multiple vulnerabilities listed below.- Multiple cross-site scripting (CWE-79) - CVE-2024-23604, CVE-2024-28128
- Improper restriction of XML external entity references (CWE-611) -CVE-2024-28039
- OS command injection (CWE-78) - CVE-2024-28125
CVE-2024-23604, CVE-2024-28039, CVE-2024-28125
Kanta Nishitani of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-28128
Yutaka WATANABE of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2024-28125
|
CVSS V3 Severity:
Base Metrics
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-23604, CVE-2024-28128
|
CVSS V3 Severity:
Base Metrics
5.8 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-28039
|
|
|
unclebob
- FitNesse releases prior to 20220319 (CVE-2024-28128)
- FitNesse all releases (CVE-2024-23604, CVE-2024-28039, CVE-2024-28125)
|
|
|
- An arbitrary script may be executed on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters. - CVE-2024-23604
- A FitNesse user may obtain sensitive information, alter data, or cause a denial-of-service (DoS) - CVE-2024-28039
- An arbitrary OS command may be executed by a FitNesse user - CVE-2024-28125
- An arbitrary script may be executed on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter. - CVE-2024-28128
|
|
CVE-2024-28128
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer fixed the vulnerability in the following version:- FitNesse release 20220319
CVE-2024-23604, CVE-2024-28039, CVE-2024-28125
[Apply a Workaround]
The developer recommends applying "Using FitNesse Safely" as shown in Security Policy.
For more information, refer to the information provided by the developer.
|
|
unclebob
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2024-23604
- CVE-2024-28039
- CVE-2024-28125
- CVE-2024-28128
|
|
- JVN : JVN#94521208
|
|
- [2024/03/18]
Web page was published
- [2024/03/19]
Overview was modified
|
