CVE-2024-49357 PoC — ZimaOS 信息泄露漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-49357.yaml

Associated Vulnerability

Title:ZimaOS 信息泄露漏洞 (CVE-2024-49357)
Description:ZimaOS是IceWhaleTech的一个开源的操作系统项目，旨在提供一个轻量级、高性能、安全的操作系统环境。 ZimaOS 1.2.4版本之前存在信息泄露漏洞，该漏洞源于ZimaOS中的API端点会暴露已安装应用程序和系统信息等敏感数据，而无需任何身份验证或授权。

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.

File Snapshot


 id: CVE-2024-49357

info:
  name: ZimaOS <= v1.2.4 - Sensitive Information Disclosure
  author: Dhiy

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!