nvd-json-data-feeds/CVE-2024/CVE-2024-515xx/CVE-2024-51561.json

{
  "id": "CVE-2024-51561",
  "sourceIdentifier": "vdisclose@cert-in.org.in",
  "published": "2024-11-04T13:17:05.963",
  "lastModified": "2024-11-06T15:59:22.287",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process.  \n\nSuccessful exploitation of this vulnerability could allow the attacker to bypass OTP verification for accessing other user accounts."
    },
    {
      "lang": "es",
      "value": "Esta vulnerabilidad existe en Aero debido a la implementaci\u00f3n incorrecta del mecanismo de validaci\u00f3n OTP en ciertos endpoints de API. Un atacante remoto autenticado podr\u00eda aprovechar esta vulnerabilidad interceptando y manipulando las respuestas intercambiadas durante el proceso de autenticaci\u00f3n de segundo factor. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante omitir la verificaci\u00f3n OTP para acceder a otras cuentas de usuario."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "vdisclose@cert-in.org.in",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "subAvailabilityImpact": "LOW",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ],
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "vdisclose@cert-in.org.in",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-807"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:63moons:aero:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "120820241550",
              "matchCriteriaId": "F04B8B0A-9AD2-4CB8-B164-4D024B9E8547"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:63moons:wave_2.0:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.1.7",
              "matchCriteriaId": "6CB8ACF7-4C40-492A-AA7E-41FDA5A3B913"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332",
      "source": "vdisclose@cert-in.org.in",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}