Sécurité et conformité

DEVO-2025-0008

Résumé

Devolutions Server is affected by a vulnerability.

Produits affectés

Devolutions Server 2025.1.3.0 through 2025.1.7.0

Devolutions Server 2024.3.15.0 and earlier

Journal des modifications

28/05/2025 - Initial publication

Sévérité

High

Produit

Devolutions Server

Version corrigée

See vulnerabilities for fixed versions

Improper privilege assignment in PAM JIT privilege sets

Description

Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue.

If you are not using PAM, you are not affected.

Mesures correctives et solutions de contournement

How to know if you are affected?

This vulnerability affects the JIT Privilege Sets of the PAM module.If you are not using PAM, you are not affected.

If JIT Privilege Sets are not enabled on your PAM providers, or if no privilege sets are configured on your providers, you are not affected. This information can be found in your PAM provider configuration under the "JIT privilege elevation" section.

If you are using JIT Privilege Sets, you might be affected, and we recommend following the instructions in the next section.

What actions are necessary if you are affected?

Review the "Assigned provider privileges" of your privilege sets. If all available groups are selected, you are affected by the security issue—unless this configuration was intentional. Review each group and assign only the groups that this set should have access to.

To simplify this review, starting with Devolutions Server Console 2025.1.10, a security notice will appear in the update server instance summary. This notice will inform you if your instance is potentially affected by this issue. It will list the potentially affected providers and privilege sets.

Sévérité

8.4 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Produits affectés

Devolutions Server 2025.1.3.0 through 2025.1.7.0Devolutions Server 2024.3.15.0 and earlier

CVE(s)

CVE-2025-4493

Devolutions aide les organisations à contrôler le chaos relié aux TI en offrant des solutions sécurisées de gestion d’accès privilégiés, de connexions à distance et de mots de passe.

DEVOLUTIONS

Légal & vie privée | infos@devolutions.net

Tous droits réservés © 2025 Devolutions