CVE-2024-3046
HIGHEclipse Kura 5.0.0-5.4.1 - Unauthenticated Log Retrieval and Privilege Escalation via LogServlet
Title source: llmDescription
In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188
Scores
CVSS v3
7.5
EPSS
0.0058
EPSS Percentile
42.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-303
Status
published
Products (2)
eclipse/kura
5.0.0 - 5.4.1
org.eclipse.kura/org.eclipse.kura.web2
2.0.600Maven
Published
Apr 09, 2024
Tracked Since
Feb 18, 2026