How severe is CVE-2024-39916?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.4 out of 10.

What type of vulnerability is CVE-2024-39916?

This is classified as CWE-453, which is a common weakness in software security.

CVE-2024-39916 - MEDIUM Severity | CVSS 6.4

Vulnerability Description

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. There is a security issue with the NFS configuration in /etc/exports generated by the installer that allows an attacker to modify files outside the export in the default installation. The exports have the no_subtree_check option. The no_subtree_check option means that if a client performs a file operation, the server will only check if the requested file is on the correct filesystem, not if it is in the correct directory. This enables modifying files in /images, accessing other files on the same filesystem, and accessing files on other filesystems. This vulnerability is fixed in 1.5.10.30.

Related Vulnerabilities

CVE-2024-41255

HIGH

CVSS:7.5(High)

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

CWE-4532024

CVE-2023-27516

HIGH

CVSS:7.8(High)

An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. An...

CWE-4532023

CVE-2022-46831

MEDIUM

CVSS:4.9(Medium)

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to ...

CWE-4532022

CVE-2022-3262

HIGH

CVSS:8.1(High)

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with ...

CWE-4532022

CVE-2024-49120

HIGH

CVSS:8.1(High)

Windows Remote Desktop Services Remote Code Execution Vulnerability

CWE-4532024

CVE-2021-27426

CRITICAL

CVSS:9.8(Critical)

GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user.

CWE-4532021