← Back

CVE-2024-11946

nvd nist
Published: Dec 30, 2024Modified: Aug 18, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

iXsystems TrueNAS CORE fetch_plugin_packagesites tar Cleartext Transmission of Sensitive Information Vulnerability. This vulnerability allows network-adjacent attackers to tamper with firmware update files on affected installations of iXsystems TrueNAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of firmware updates. The issue results from the use of an insecure protocol to deliver updates. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-25668.

Affected (16)

Ixsystems
1 product
Truenas Firmware
Configuration A
16 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Ixsystems
Truenas Firmware
Version 13.0
Truenas Firmware
Version 13.0 beta1
Truenas Firmware
Version 13.0 rc1
Truenas Firmware
Version 13.0 u1.1
Truenas Firmware
Version 13.0 u1
Truenas Firmware
Version 13.0 u2
Truenas Firmware
Version 13.0 u3.1
Truenas Firmware
Version 13.0 u3
Truenas Firmware
Version 13.0 u4
Truenas Firmware
Version 13.0 u5.1
Truenas Firmware
Version 13.0 u5.2
Truenas Firmware
Version 13.0 u5.3
Truenas Firmware
Version 13.0 u5
Truenas Firmware
Version 13.0 u6.1
Truenas Firmware
Version 13.0 u6.2
Truenas Firmware
Version 13.0 u6
Running on/withPlatform Versions
Ixsystems
Truenas
All versions

Related CWEs

CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

Source: zdi-disclosures@trendmicro.com
Release Notes
Source: zdi-disclosures@trendmicro.com
Third Party Advisory

Timeline

No history available yet.