CRITICAL🇵🇱 Wersja polska

CVE-2024-46909

CVSS 9.8v3.1pub. 2024-12-02upd. 2024-12-10

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.

🤖 AI Analysis
How it works

The vulnerability results from improper configuration and path traversal errors, which allow bypassing authentication mechanisms (auth bypass). An attacker can send a specially crafted request over the network to the vulnerable system without possessing any credentials and without user interaction. As a result, code execution is possible in the context of the application service account.

Impact

An attacker gains the ability to execute code remotely (RCE) with the privileges of the WhatsUp Gold service account, which in practice can mean complete system takeover, data breach, and further lateral movement in the network.

Mitigation & patch

Progress WhatsUp Gold must be immediately updated to version 2024.0.1 or later. Detailed patch information is available in the vendor's security bulletin (Progress WhatsUp Gold Security Bulletin, September 2024) and in the official release notes for version 2024.0.

Who is affected

Progress WhatsUp Gold in all versions released before 2024.0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Progress Whatsup Gold

    APP
    Progress
    < 24.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-6670CRITICAL9.8⚠ KEVPL ✓ten sam produkt

SQL Injection w Progress WhatsUp Gold — kradzież zaszyfrowanych haseł

CVE-2024-4885CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Progress WhatsUp Gold – nieuwierzytelniony RCE przez path traversal

CVE-2024-12106CRITICAL9.4PL ✓ten sam produkt

Progress WhatsUp Gold — nieautoryzowana konfiguracja ustawień LDAP

CVE-2024-12108CRITICAL9.6PL ✓ten sam produkt

Progress WhatsUp Gold — nieautoryzowany dostęp do serwera przez publiczne API

CVE-2024-8785CRITICAL9.8PL ✓ten sam produkt

Progress WhatsUp Gold – nieautoryzowana modyfikacja rejestru Windows przez NmAPI.exe