#VU86888 Incorrect authorization in Ree6


Published: 2024-02-28

Vulnerability identifier: #VU86888

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-39302

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ree6
Client/Desktop applications / Software for system administration

Vendor: Ree6 Applications

Description

The vulnerability allows a remote user to bypass security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specifically crafted log message to the application to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ree6: 1.5.1 - 1.9.8

External links
http://github.com/Ree6-Applications/Ree6/security/advisories/GHSA-v574-xgcf-5w8x
http://github.com/Ree6-Applications/Ree6/commit/459b5bc24f0ea27e50031f563373926e94b9aa0a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data