CVE-2023-5240

Vulnerability

An improper access control vulnerability exists in the PAM propagation scripts feature of Devolutions Server version 2023.2.8.0 and earlier [1]. The flaw allows an authenticated user who has permission to manage PAM propagation scripts to retrieve passwords stored within those scripts by sending a GET request, bypassing the intended access controls that should prevent such retrieval [1].

Exploitation

To exploit this vulnerability, an attacker must have a valid user account on the Devolutions Server with the specific permission to manage PAM propagation scripts [1]. No further privileges are required. The attacker can then craft a GET request to the relevant endpoint to retrieve the passwords stored in the scripts [1].

Impact

Successful exploitation results in the disclosure of passwords stored within PAM propagation scripts. This can lead to unauthorized access to systems or services that those passwords protect, potentially compromising confidentiality and integrity [1]. The scope of impact depends on the resources secured by the exposed passwords [1].

Mitigation

Devolutions has released version 2023.2.9.0 to address this vulnerability [1]. Users should upgrade to this version or later. As a workaround, administrators may consider restricting the permission to manage PAM propagation scripts to only highly trusted accounts until the upgrade is applied [1].