CVE-2024-49357
published 2024-10-24CVE-2024-49357: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in…
PriorityP267high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
20.60%
97.2th percentile
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http:///v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewhaletech | zimaos | <= 1.2.4 | — |
| zimaspace | zimaos | < 1.2.5 | 1.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /v1/users/image with a path parameter pointing to sensitive files; no authentication required. Match response body for JSON keys indicating sensitive data disclosure. ↗
- →Response body may contain os_version or cpu_info fields, indicating successful unauthenticated sensitive data access. ↗
- →Response Content-Type of application/json with HTTP 200 status on the /v1/users/image endpoint confirms exploitation. ↗
- →Shodan query 'ZimaOS' can be used to identify exposed ZimaOS instances on the internet. ↗
- ·The vulnerable endpoints are unauthenticated and unauthenticated — no credentials or session tokens are needed to exploit this issue, making it trivially exploitable remotely. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
ZimaOS <= v1.2.4 - Sensitive Information Disclosure
nuclei·CVSS 7.5
CVE-2024-49357 [HIGH] ZimaOS <= v1.2.4 - Sensitive Information Disclosure
ZimaOS /v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http:///v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.
Template:
id: CVE-2024-49357
info:
name: ZimaOS /v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http:///v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive d
No writeups or analysis indexed.
2024-10-24
Published