CVE-2024-21815

Severity: Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Components affected: Command Centre Server

Version of Command Centre affected:  9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.

Reported by: Gallagher Internal

Active exploitation of vulnerability*: No

Description of vulnerability: Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. 

This issue affects: Gallagher Command Centre: 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6),  all version of 8.60 and prior.

Mitigation: Only sites with DVR integrations are affected. 

Maintenance releases are now available for:

• ·v9.00 - v9.00.1774 (MR2)
• ·v8.90 - v8.90.1751 (MR3)
• ·v8.80 - v8.80.1526 (MR4)
• ·v8.70 - v8.70.2526 (MR6)

Important notes:

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.