CVE-2024-6979

Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.axis.com/dam/public/c3/44/5b/cve-2024-6979-en-US-448997.pdf

Configurations

No configuration.

History

08 Nov 2024, 09:15

Type	Values Removed	Values Added
CWE		CWE-863

10 Sep 2024, 12:09

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-10 06:15

Updated : 2024-11-08 09:15

NVD link : CVE-2024-6979

Mitre link : CVE-2024-6979

CVE.ORG link : CVE-2024-6979

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-6979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-security@axis.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2024-09-10T06:15:01.990", "references": [{"url": "https://www.axis.com/dam/public/c3/44/5b/cve-2024-6979-en-US-448997.pdf", "source": "product-security@axis.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "product-security@axis.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. \nAxis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution."}, {"lang": "es", "value": "Amin Aliakbari, miembro del programa Bug Bounty de AXIS OS, ha descubierto un control de acceso defectuoso que podr\u00eda provocar que las cuentas de operador y/o espectador con menos privilegios tuvieran m\u00e1s privilegios de los previstos. El riesgo de explotaci\u00f3n es muy bajo, ya que requiere pasos complejos para su ejecuci\u00f3n, incluido el conocimiento de las contrase\u00f1as de las cuentas y ataques de ingenier\u00eda social para enga\u00f1ar al administrador para que realice configuraciones espec\u00edficas en cuentas con privilegios de operador y/o espectador. Axis ha publicado una versi\u00f3n parcheada de AXIS OS para la falla resaltada. Consulte el aviso de seguridad de Axis para obtener m\u00e1s informaci\u00f3n y soluciones."}], "lastModified": "2024-11-08T09:15:07.987", "sourceIdentifier": "product-security@axis.com"}