CVE-2024-28061

Vulnerability

Overview

CVE-2024-28061 affects Apiris Kafeo version 6.4.4. The application fails to properly enforce access controls on its embedded database file, allowing an attacker to bypass the intended protection mechanisms and directly access the stored data [1]. The root cause is a missing or insufficient authentication check when accessing the database file, which is typically used to store sensitive configuration or user data.

Exploitation

Conditions

Exploitation requires local access to the system running Kafeo. According to the CVSS 4.0 vector provided in the advisory, the attack complexity is low, no privileges are required, and no user interaction is needed [2]. This means any user or process with local file system access can read or modify the database file without triggering any authentication prompts.

Impact

A successful attack compromises both the confidentiality and integrity of the data stored in the embedded database. An attacker could extract sensitive information (e.g., credentials, configuration details) and also alter the database content, potentially leading to further system compromise or service disruption [2]. The CVSS 4.0 score of 8.5 (High) reflects the serious nature of this vulnerability.

Mitigation

Status

As of the disclosure date (May 2024), no official patch has been released by Apiris. The vendor was contacted multiple times but did not respond [2]. Users of Kafeo 6.4.4 should consider restricting local access to the system, monitoring file access, or isolating the application until a fix becomes available.