CVE-2024-42450
First published: Tue Nov 19 2024(Updated: )
The Versa Director uses PostgreSQL (Postgres) to store operational and configuration data. It is also needed for High Availability function of the Versa Director. The default configuration has a common password across all instances of Versa Director. By default, Versa Director configures Postgres to listen on all network interfaces. This combination allows an unauthenticated attacker to access and administer the database or read local filesystem contents to escalate privileges on the system. Exploitation Status: Versa Networks is not aware of this exploitation in any production systems. A proof of concept exists in the lab environment. Workarounds or Mitigation: Starting with the latest 22.1.4 version of Versa Director, the software will automatically restrict access to the Postgres and HA ports to only the local and peer Versa Directors. For older releases, Versa recommends performing manual hardening of HA ports. Please refer to the following link for the steps https://docs.versa-networks.com/Solutions/System_Hardening/Perform_Manual_Hardening_for_Versa_Director#Secure_HA_Ports This vulnerability is not exploitable on Versa Directors if published Firewall guidelines are implemented. We have validated that no Versa-hosted head ends have been affected by this vulnerability. All Versa-hosted head ends are patched and hardened. Please contact Versa Technical Support or Versa account team for any further assistance. Software Download Links: 22.1.4: https://support.versa-networks.com/support/solutions/articles/23000026708-release-22-1-4
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Versa Networks Versa Director | >22.1.4 | |
| PostgreSQL Common |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-42450?
CVE-2024-42450 is rated as a critical vulnerability due to its potential impact on security by using a common password across instances.
How do I fix CVE-2024-42450?
To fix CVE-2024-42450, change the default common password used by all instances of Versa Director to a unique, strong password.
What are the potential risks of CVE-2024-42450?
The risks of CVE-2024-42450 include unauthorized access to operational and configuration data stored in PostgreSQL.
Which software is affected by CVE-2024-42450?
CVE-2024-42450 affects Versa Networks Versa Director starting from version 22.1.4 and involves its PostgreSQL database.
Is CVE-2024-42450 related to PostgreSQL security?
Yes, CVE-2024-42450 is related to PostgreSQL security as it highlights vulnerabilities in how Versa Director manages PostgreSQL authentication.
- agent/references
- agent/first-publish-date
- agent/description
- agent/type
- agent/author
- agent/severity
- agent/weakness
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/versa networks
- canonical/versa networks versa director
- vendor/postgresql
- canonical/postgresql common