Avis de sécurité

Sécurité et conformité

Nous respectons les normes les plus élevées pour protéger vos données et garantir la confiance.

Avis Signaler un problème de sécurité Centre de confiance

Retour à la liste

DEVO-2024-0017

Devolutions Server and Remote Desktop Manager are affected by vulnerabilities

Produits affectés

Devolutions Server

2024.3.8.0 and earlier

Remote Desktop Manager

2024.3.19.0 and earlier

Journal des modifications

2024/12/4 - Initial publication

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Incorrect authorization in report permission validation component

Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.

Produits affectés

CVE(s)

CVE-2024-12148

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2024.3.7.0 or higher

8.6 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Incorrect permission assignment in temporary access requests component

Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to obtain more privileges than requested.

Produits affectés

CVE(s)

CVE-2024-12149

Mesures correctives et solutions de contournement

Upgrade to Remote Desktop Manager 2024.3.20.0 or higher

2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Incorrect permission assignment in the user migration feature

Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.

Produits affectés

CVE(s)

CVE-2024-12151

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2024.3.9.0 or higher

7.1 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Incorrect authorization in the view password permission component in Devolutions Server

Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.

The user must have access to the entry to exploit the vulnerability.

Produits affectés

CVE(s)

CVE-2024-12196

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2024.3.8.0 or higher