Anolis OS update for pcs
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-21510 |
| CWE-ID | CWE-807 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system pcs-snmp Operating systems & Components / Operating system package or component pcs Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Reliance on Untrusted Inputs in a Security Decision
EUVDB-ID: #VU103627
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21510
CWE-ID:
CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker when making a request to a method with redirect applied, can trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
pcs-snmp: before 0.10.18-2.0.1
pcs: before 0.10.18-2.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:pcs-snmp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:pcs:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:1186
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
