CVE-2024-1212 - Vulnerability Details - OpenCVE

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since Nov. 18, 2024.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Kemptechnologies	Loadmaster
Progress	Loadmaster

Configuration 1 [-]

OR	cpe:2.3:a:progress:loadmaster::::::::
	cpe:2.3:a:progress:loadmaster::::::::
	cpe:2.3:a:progress:loadmaster::::::::

No data.

References

Link	Providers
https://freeloadbalancer.com/
https://kemptechnologies.com/
https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212

History

Tue, 19 Nov 2024 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress loadmaster
CPEs		cpe:2.3:a:progress:loadmaster::::::::
Vendors & Products		Progress Progress loadmaster

Mon, 18 Nov 2024 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kemptechnologies Kemptechnologies loadmaster
CPEs		cpe:2.3:a:kemptechnologies:loadmaster::::::::
Vendors & Products		Kemptechnologies Kemptechnologies loadmaster
Metrics		kev `{'dateAdded': '2024-11-18'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-02-21T17:39:12.599Z

Updated: 2024-11-19T04:55:42.626Z

Reserved: 2024-02-02T18:16:01.280Z

Link: CVE-2024-1212

Vulnrichment

Updated: 2024-08-01T18:33:24.842Z

NVD

Status : Analyzed

Published: 2024-02-21T18:15:50.417

Modified: 2025-01-27T21:48:30.333

Link: CVE-2024-1212

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1212", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-02-02T18:16:01.280Z", "datePublished": "2024-02-21T17:39:12.599Z", "dateUpdated": "2024-11-19T04:55:42.626Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["LoadMaster Management Interface"], "platforms": ["Linux"], "product": "LoadMaster", "vendor": "Progress Software", "versions": [{"lessThan": "7.2.48.10", "status": "affected", "version": "7.2.48.1", "versionType": "semver"}, {"lessThan": "7.2.54.8", "status": "affected", "version": "7.2.54.0", "versionType": "semver"}, {"lessThan": "7.2.59.2", "status": "affected", "version": "7.2.55.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rhino Security Labs"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.</span>\n\n<br>"}], "value": "Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.\n\n\n"}], "impacts": [{"capecId": "CAPEC-113", "descriptions": [{"lang": "en", "value": "CAPEC-113 API Manipulation"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-21T20:45:42.781Z"}, "references": [{"tags": ["product"], "url": "https://kemptechnologies.com/"}, {"tags": ["product"], "url": "https://freeloadbalancer.com/"}, {"tags": ["vendor-advisory"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"}, {"tags": ["vendor-advisory"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"}], "source": {"discovery": "UNKNOWN"}, "title": "LoadMaster Pre-Authenticated OS Command Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:24.842Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://kemptechnologies.com/"}, {"tags": ["product", "x_transferred"], "url": "https://freeloadbalancer.com/"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"}]}, {"affected": [{"vendor": "kemptechnologies", "product": "loadmaster", "cpes": ["cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.48.1", "status": "affected", "lessThan": "7.2.48.10", "versionType": "custom"}, {"version": "7.2.54.0", "status": "affected", "lessThan": "7.2.54.8", "versionType": "custom"}, {"version": "7.2.55.0", "status": "affected", "lessThan": "7.2.59.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-23T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-1212"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-11-18", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-1212"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-19T04:55:42.626Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://kemptechnologies.com/", "tags": ["product", "x_transferred"]}, {"url": "https://freeloadbalancer.com/", "tags": ["product", "x_transferred"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:24.842Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1212", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-18T19:31:17.514159Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-11-18", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-1212"}}}], "affected": [{"cpes": ["cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"], "vendor": "kemptechnologies", "product": "loadmaster", "versions": [{"status": "affected", "version": "7.2.48.1", "lessThan": "7.2.48.10", "versionType": "custom"}, {"status": "affected", "version": "7.2.54.0", "lessThan": "7.2.54.8", "versionType": "custom"}, {"status": "affected", "version": "7.2.55.0", "lessThan": "7.2.59.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:25:05.682Z"}}], "cna": {"title": "LoadMaster Pre-Authenticated OS Command Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rhino Security Labs"}], "impacts": [{"capecId": "CAPEC-113", "descriptions": [{"lang": "en", "value": "CAPEC-113 API Manipulation"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}, {"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "modules": ["LoadMaster Management Interface"], "product": "LoadMaster", "versions": [{"status": "affected", "version": "7.2.48.1", "lessThan": "7.2.48.10", "versionType": "semver"}, {"status": "affected", "version": "7.2.54.0", "lessThan": "7.2.54.8", "versionType": "semver"}, {"status": "affected", "version": "7.2.55.0", "lessThan": "7.2.59.2", "versionType": "semver"}], "platforms": ["Linux"], "defaultStatus": "affected"}], "references": [{"url": "https://kemptechnologies.com/", "tags": ["product"]}, {"url": "https://freeloadbalancer.com/", "tags": ["product"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212", "tags": ["vendor-advisory"]}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.</span>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-02-21T20:45:42.781Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1212", "state": "PUBLISHED", "dateUpdated": "2024-11-19T04:55:42.626Z", "dateReserved": "2024-02-02T18:16:01.280Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-02-21T17:39:12.599Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-12-09", "cisaExploitAdd": "2024-11-18", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Progress Kemp LoadMaster OS Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1B68CCC-11F4-4ECF-9284-5D46ABA70846", "versionEndExcluding": "7.2.48.10", "versionStartIncluding": "7.2.48.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D8FAFF9-0C1A-49D3-AB63-10DC49A46881", "versionEndExcluding": "7.2.54.8", "versionStartIncluding": "7.2.54.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E8F83C9-8D7C-4DC2-BA3D-AB92709D364F", "versionEndExcluding": "7.2.59.2", "versionStartIncluding": "7.2.55.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.\n\n\n"}, {"lang": "es", "value": "Los atacantes remotos no autenticados pueden acceder al sistema a trav\u00e9s de la interfaz de administraci\u00f3n de LoadMaster, lo que permite la ejecuci\u00f3n arbitraria de comandos del sistema."}], "id": "CVE-2024-1212", "lastModified": "2025-01-27T21:48:30.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-21T18:15:50.417", "references": [{"source": "security@progress.com", "tags": ["Product"], "url": "https://freeloadbalancer.com/"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://kemptechnologies.com/"}, {"source": "security@progress.com", "tags": ["Not Applicable"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"}, {"source": "security@progress.com", "tags": ["Release Notes"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://freeloadbalancer.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://kemptechnologies.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}