CVE-2024-21545

Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with &amp;#39;Sys.Audit&amp;#39; or &amp;#39;VM.Monitor&amp;#39; privileges to download arbitrary host files via the API.<br /> When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’-&gt;’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user.<br /> Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read.<br /> The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.