Vulnerabilities > CVE-2024-39916 - Insecure Default Initialization of Resource vulnerability in Fogproject

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

fogproject

CWE-1188

NVD

Published: 2024-07-12

Updated: 2024-09-05

Summary

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. There is a security issue with the NFS configuration in /etc/exports generated by the installer that allows an attacker to modify files outside the export in the default installation. The exports have the no_subtree_check option. The no_subtree_check option means that if a client performs a file operation, the server will only check if the requested file is on the correct filesystem, not if it is in the correct directory. This enables modifying files in /images, accessing other files on the same filesystem, and accessing files on other filesystems. This vulnerability is fixed in 1.5.10.30.

Vulnerable Configurations

Part	Description	Count
Application	Fogproject Fogproject Fogproject - Fogproject Fogproject 1.3.0 Fogproject Fogproject 1.3.1 Fogproject Fogproject 1.3.2 Fogproject Fogproject 1.3.3 Fogproject Fogproject 1.3.4 Fogproject Fogproject 1.3.5 Fogproject Fogproject 1.4.0 Fogproject Fogproject 1.4.1 Fogproject Fogproject 1.4.2 Fogproject Fogproject 1.4.3 Fogproject Fogproject 1.4.4 Fogproject Fogproject 1.5.0 Fogproject Fogproject 1.5.1 Fogproject Fogproject 1.5.2 Fogproject Fogproject 1.5.3 Fogproject Fogproject 1.5.4 Fogproject Fogproject 1.5.5 Fogproject Fogproject 1.5.6 Fogproject Fogproject 1.5.7 Fogproject Fogproject 1.5.8 Fogproject Fogproject 1.5.9	24

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References