CVE-2024-37162 MEDIUM

CVE-2024-37162: zsa Generates Error Messages Containing Sensitive Information

Vendor Idopesok
Product zsa
Weakness CWE-209 · Error message info leak
Published June 7, 2024
Last update August 2, 2024

CVSS base score

4.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.

Key dates

02Disclosure timeline

June 7, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE