CVE-2024-24562 MEDIUM

CVE-2024-24562: Security headers not set in vantage6-UI

Vendor Vantage6
Product vantage6-UI
Weakness CWE-693
Published March 14, 2024
Last update August 1, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While an upgrade path is not available users may modify the docker image build to insert the headers into nginx.

Key dates

02Disclosure timeline

March 14, 2024 CVE published
August 1, 2024 Record updated