CVE-2024-42183 (GCVE-0-2024-42183)
Vulnerability from cvelistv5
Published
2025-01-23 01:42
Modified
2025-01-23 14:53
Severity ?
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-494 - Download of Code Without Integrity Check
Summary
BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability. It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls.
References
Impacted products
Vendor Product Version
HCL Software BigFix Patch Management Download Plug-ins Version: 1177 and below
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42183",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T14:53:26.381276Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-23T14:53:30.106Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BigFix Patch Management Download Plug-ins",
          "vendor": "HCL Software",
          "versions": [
            {
              "status": "affected",
              "version": "1177 and below"
            }
          ]
        }
      ],
      "datePublic": "2025-01-21T20:08:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability.  It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls. \u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability.  It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-494",
              "description": "CWE-494 Download of Code Without Integrity Check",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-23T01:42:47.496Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0118565"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2024-42183",
    "datePublished": "2025-01-23T01:42:47.496Z",
    "dateReserved": "2024-07-29T21:32:05.157Z",
    "dateUpdated": "2025-01-23T14:53:30.106Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-42183\",\"sourceIdentifier\":\"psirt@hcl.com\",\"published\":\"2025-01-23T02:15:35.933\",\"lastModified\":\"2025-01-23T02:15:35.933\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability.  It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls.\"},{\"lang\":\"es\",\"value\":\"Los complementos de BigFix Patch Download se ven afectados por una vulnerabilidad de descarga de archivos arbitrarios. Podr\u00eda permitir que un operador malintencionado descargue archivos desde URL arbitrarias sin ning\u00fan tipo de validaci\u00f3n o control de lista de permitidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@hcl.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":2.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@hcl.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-494\"}]}],\"references\":[{\"url\":\"https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0118565\",\"source\":\"psirt@hcl.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-42183\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-23T14:53:26.381276Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-23T14:53:24.285Z\"}}], \"cna\": {\"title\": \"HCL BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 2.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"HCL Software\", \"product\": \"BigFix Patch Management Download Plug-ins\", \"versions\": [{\"status\": \"affected\", \"version\": \"1177 and below\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-01-21T20:08:00.000Z\", \"references\": [{\"url\": \"https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0118565\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability.  It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eBigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability.  It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls. \u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-494\", \"description\": \"CWE-494 Download of Code Without Integrity Check\"}]}], \"providerMetadata\": {\"orgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"shortName\": \"HCL\", \"dateUpdated\": \"2025-01-23T01:42:47.496Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-42183\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-23T14:53:30.106Z\", \"dateReserved\": \"2024-07-29T21:32:05.157Z\", \"assignerOrgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"datePublished\": \"2025-01-23T01:42:47.496Z\", \"assignerShortName\": \"HCL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.