CVE-2024-49357: ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-49357

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak

Source: NVD (National Vulnerability Database)

Vulnerability Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

ZimaOS 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

ZimaOS是IceWhaleTech的一个开源的操作系统项目，旨在提供一个轻量级、高性能、安全的操作系统环境。 ZimaOS 1.2.4版本之前存在信息泄露漏洞，该漏洞源于ZimaOS中的API端点会暴露已安装应用程序和系统信息等敏感数据，而无需任何身份验证或授权。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
IceWhaleTech	ZimaOS	<= 1.2.4	-

II. Public POCs for CVE-2024-49357

#	POC Description	Source Link	Shenlong Link
1	ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-49357.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-49357

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: ZimaOS

Same vendor: IceWhaleTech

Same weakness: CWE-200

V. Comments for CVE-2024-49357

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-49357

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-49357

III. Intelligence Information for CVE-2024-49357

IV. Related Vulnerabilities

V. Comments for CVE-2024-49357

Leave a comment