CVE-2024-35184

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/paperless-ngx/paperless-ngx/commit/ed05b40ba461641b1b59b0a92f51f3f6a66ce180
https://github.com/paperless-ngx/paperless-ngx/pull/6739
https://github.com/paperless-ngx/paperless-ngx/releases/tag/v2.8.6
https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-72w4-hxqq-c256

Configurations

No configuration.

History

No history.

Information

Published : 2024-05-15 22:15

Updated : 2024-05-16 13:03

NVD link : CVE-2024-35184

Mitre link : CVE-2024-35184

CVE.ORG link : CVE-2024-35184

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

5.5 /10