CVE-2024-3046: Eclipse Kura LogServlet vulnerability

April 9, 2024

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]

References

github.com/advisories/GHSA-frc2-w2cc-x794
github.com/eclipse/kura
gitlab.eclipse.org/security/vulnerability-reports/-/issues/188
nvd.nist.gov/vuln/detail/CVE-2024-3046

Code Behaviors & Features

Detect and mitigate CVE-2024-3046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →