MAIN MENU

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

DEVO-2024-0002

Devolutions Server is affected by multiple vulnerabilities

Affected Products

Devolutions Server

Change Log

2024-03-05 - Initial Publication 2024-03-11 - Updated fixed versions

Improper privilege management in JIT elevation module

7.0 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/U:Red

Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances.

For more information please consult the following knowledge base :https://redirection.devolutions.com/jit-group-revocation-error

CVE(s)

CVE-2024-1764

Remediation and Workarounds

Upgrade to Devolutions Server 2023.3.16.0 or higher

Denial of service in PAM credentials

6.9 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/U:Green

Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable.

CVE(s)

CVE-2024-1901

Remediation and Workarounds

Upgrade to Devolutions Server 2024.1.0 or higher

Improper access control in the notification administration interface

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/U:Green

Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.

CVE(s)

CVE-2024-1898

Remediation and Workarounds

Upgrade to Devolutions Server 2024.1.0 or higher

Improper session management with identity providers (Okta, O365)

6.0 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.

The user will stay authenticated until the Devolutions Server token expiration.

CVE(s)

CVE-2024-1900

Remediation and Workarounds

New installations of Devolutions Server 2024.1.0 are not affected.

For upgraded Devolutions Server 2024.1.0, see the security dashboard warning about using TokenID for authentication to take action.