Security & Compliance
DEVO-2024-0017
Zusammenfassung
Devolutions Server and Remote Desktop Manager are affected by vulnerabilities
Betroffene Produkte
Devolutions Server 2024.3.8.0 and earlierRemote Desktop Manager 2024.3.19.0 and earlier
Änderungsprotokoll
2024/12/4 - Initial publication
Schweregrad
High
Produkt
Devolutions Server, Remote Desktop Manager
Behobene Version
See vulnerabilities for fixed versions
Incorrect authorization in report permission validation component
Beschreibung
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
Behebungen und Workarounds
Upgrade to Devolutions Server 2024.3.7.0 or higher
Schweregrad
5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Betroffene Produkte
Devolutions Server 2024.3.6.0 and earlier
CVE(s)
CVE-2024-12148
Incorrect permission assignment in temporary access requests component
Beschreibung
Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to obtain more privileges than requested.
Behebungen und Workarounds
Upgrade to Remote Desktop Manager 2024.3.20.0 or higher
Schweregrad
8.6 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Betroffene Produkte
Remote Desktop Manager 2024.3.19.0 and earlier
CVE(s)
CVE-2024-12149
Incorrect permission assignment in the user migration feature
Beschreibung
Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.
Behebungen und Workarounds
Upgrade to Devolutions Server 2024.3.9.0 or higher
Schweregrad
2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Betroffene Produkte
Devolutions Server 2024.3.8.0 and earlier
CVE(s)
CVE-2024-12151
Incorrect authorization in the view password permission component in Devolutions Server
Beschreibung
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
The user must have access to the entry to exploit the vulnerability.
Behebungen und Workarounds
Upgrade to Devolutions Server 2024.3.8.0 or higher
Schweregrad
7.1 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Betroffene Produkte
Devolutions Server 2024.3.7.0 and earlier
CVE(s)
CVE-2024-12196