Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user. Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read. The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
Proxmox Virtual Environment 安全漏洞
Vulnerability Description
Proxmox Virtual Environment(Proxmox VE)是Proxmox公司的一个开源的服务器虚拟化环境 Linux 发行版。 Proxmox Virtual Environment存在安全漏洞,该漏洞源于对恶意API响应值的保护措施不足,经过身份验证的攻击者可以通过API下载任意主机文件。
CVSS Information
N/A
Vulnerability Type
N/A