Critical Vulnerability Information 1. CVE-2024-48729: Broken Object Level Authorization Description: In OSM MANO, there is an object-level authorization issue that allows attackers to access and modify resources belonging to other users via API calls. Impact: Attackers can bypass permission checks and access or modify projects and user data that do not belong to them. Example: - Attackers can retrieve or modify other users' resources by sending specific HTTP requests. 2. Account Take-over through Credential Replacement Description: Attackers can take over accounts by replacing administrator credentials and exploiting CVE-2024-48729. Impact: Attackers can fully control the target account, including accessing sensitive data and performing administrative operations. Example: - Attackers can log in using the replaced credentials and execute malicious actions. 3. Privilege Escalation by Role Self Assignment Description: Attackers can escalate privileges by self-assigning roles. Impact: Attackers can assign themselves higher-privilege roles, gaining access to more resources and performing additional operations. Example: - Attackers can send specific HTTP requests to assign themselves an administrator role. 4. Denial of Service by Role Assignment Description: Attackers can cause a denial of service by creating a large number of role assignments. Impact: A high volume of role assignment requests can exhaust system resources, rendering the service unavailable. Example: - Attackers can send numerous requests to create role assignments, leading to system crashes. 5. CVE-2024-49730: Improper Restriction of Excessive Authentication Attempts Description: The system lacks proper restrictions on excessive authentication attempts, enabling attackers to perform brute-force attacks. Impact: Attackers can guess correct usernames and passwords by repeatedly trying different credentials. Example: - Attackers can send a large number of authentication requests until the correct credentials are found. ``` These critical details highlight multiple security vulnerabilities in OSM MANO, including broken object-level authorization, account takeover, privilege escalation, denial of service, and improper restriction of authentication attempts.