Security & compliance
Upholding the highest standards to protect your data and ensure trust.
DEVO-2024-0002
Devolutions Server is affected by multiple vulnerabilities
Affected Products
Change Log
2024-03-05 - Initial Publication 2024-03-11 - Updated fixed versions
Improper privilege management in JIT elevation module
7.0 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/U:Red
Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances.
For more information please consult the following knowledge base :https://redirection.devolutions.com/jit-group-revocation-error
CVE(s)
CVE-2024-1764
Remediation and Workarounds
Upgrade to Devolutions Server 2023.3.16.0 or higher
Denial of service in PAM credentials
6.9 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/U:Green
Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable.
CVE(s)
CVE-2024-1901
Remediation and Workarounds
Upgrade to Devolutions Server 2024.1.0 or higher
Improper access control in the notification administration interface
5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/U:Green
Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.
CVE(s)
CVE-2024-1898
Remediation and Workarounds
Upgrade to Devolutions Server 2024.1.0 or higher
Improper session management with identity providers (Okta, O365)
6.0 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.
The user will stay authenticated until the Devolutions Server token expiration.
CVE(s)
CVE-2024-1900
Remediation and Workarounds
New installations of Devolutions Server 2024.1.0 are not affected.
For upgraded Devolutions Server 2024.1.0, see the security dashboard warning about using TokenID for authentication to take action.