CVE-2024-12908
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
26/12/2024
Last modified:
15/10/2025
Description
Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI&#39;s were compared before normalization and canonicalization, potentially leading to over matching against the approved list. If this attack were successfully exploited, a remote attacker may be able to convince a user to visit a malicious web-page, or open a<br />
malicious document which could trigger the vulnerable handler, allowing them to execute<br />
arbitrary code on the user&#39;s machine. Delinea added additional validation that the downloaded installer&#39;s batch file was in the expected format.
Impact
Base Score 3.x
6.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:delinea:secret_server:*:*:*:*:on-premises:*:*:* | 11.9.000006 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.amberwolf.com/blog/2024/december/cve-2024-12908-delinea-protocol-handler---remote-code-execution-via-update-process/
- https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000049.htm
- https://trust.delinea.com/
- https://blog.amberwolf.com/blog/2024/december/cve-2024-12908-delinea-protocol-handler---remote-code-execution-via-update-process/