CVE-2024-21545

25.09.2024, 01:15

Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API.
When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the download or data->download objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.
Two endpoints were identified which can control the object returned by a request handler sufficiently that the download object is defined and user controlled. This results in arbitrary file read.
The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.2 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
snyk	CNA	8.2 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Vendor	Product	Version
proxmox	mail_gateway	7.2 < 𝑥 < 7.2
proxmox	mail_gateway	8.1-1 < 𝑥 < 8.1-1
proxmox	virtual_environment	7.3 < 𝑥 < 7.3
proxmox	virtual_environment	8.2-2 < 𝑥 < 8.2-2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-73 - External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.

References

https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-705345

https://git.proxmox.com/?p=pve-http-server.git;a=blob;f=src/PVE/APIServer/AnyEvent.pm;h=a8d60c18102d2eea9235720852fb60d90f405d0a;hb=HEAD#l988