Skip to main content

Fogproject CVE-2024-41954

HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2024-07-31 security-advisories@github.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 31, 2024 - 20:15 nvd
HIGH 7.8

DescriptionNVD

FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41.

AnalysisAI

FOG is a cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41. Affected products include: Fogproject.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and restrict file/resource permissions, apply principle of least privilege.

CVE-2025-58443 CRITICAL POC
9.9 Sep 06

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated critical severity (CVSS 9.9),

CVE-2024-39914 CRITICAL POC
9.8 Jul 12

FOG is a cloning/imaging/rescue suite/inventory management system. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2024-40645 HIGH POC
8.8 Jul 31

FOG is a cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2021-32243 HIGH POC
8.8 Jun 16

FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated). Rated high severity (CVSS 8.8), this vulnerability i

CVE-2024-42348 HIGH POC
8.6 Aug 02

FOG is a cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 8.6), this vulnerability is

CVE-2024-34477 HIGH POC
7.8 May 27

configureNFS in lib/common/functions.sh in FOG through 1.5.10 allows local users to gain privileges by mounting a crafte

CVE-2024-41108 MEDIUM POC
5.9 Jul 31

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 5.9), th

CVE-2024-42349 MEDIUM POC
5.3 Aug 02

FOG is a cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2023-46236 HIGH
7.5 Oct 31

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.5), this

CVE-2024-39916 MEDIUM
6.4 Jul 12

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 6.4), th

CVE-2023-46235 MEDIUM
6.1 Oct 31

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 6.1), th

CVE-2026-33739 MEDIUM
5.7 Mar 27

Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege admin

Share

CVE-2024-41954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy