CVE-2024-42363 HIGH

CVE-2024-42363: GHSL-2023-136_Samson

Vendor Zendesk

Product Samson

Weakness CWE-502 · Unsafe deserialization

Published August 20, 2024

Last update August 20, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.

Key dates

02Disclosure timeline

August 20, 2024 CVE published

August 20, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-42363

Related vulnerabilities

CVE-2024-42363: GHSL-2023-136_Samson

01Description

02Disclosure timeline

03References

04Related CVE