CVE-2024-42934Missing Authorization in Openipmi

CWE-862Missing Authorization6 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
0.0%
top 95.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Debian OpenipmiMsrc Azl3 Openipmi 2.0.33-1 ON Azure Linux 3.0Msrc Azl3 Openipmi 2.0.36-1 ON Azure Linux 3.0+6 more
Timeline
PublishedOct 9

Description

OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages9 packages

debiandebian/openipmi< openipmi 2.0.36-1 (forky)

🔴Vulnerability Details

2
OSV
CVE-2024-42934: OpenIPMI before 22024-10-09
GHSA
GHSA-q84v-q853-g3vh: OpenIPMI before 22024-10-09

📋Vendor Advisories

3
Microsoft
OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator resulting in denial of service or (with very low probability) authentication bypass or code2024-10-08
Red Hat
openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator2024-08-22
Debian
CVE-2024-42934: openipmi - OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication typ...2024