CVE-2024-35204
Published: 14 May 2024
Summary
CVE-2024-35204 is a high-severity Least Privilege Violation (CWE-272) vulnerability in Veritas System Recovery (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35235
Vulnerability details
Veritas System Recovery before 23.3_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and update requirements help detect and correct least privilege violations in practice.
Access reviews verify and enforce adherence to least privilege by identifying excess permissions.
Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege.
Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.
Enforces the least privilege principle to avoid violations of minimal necessary access.
Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.
The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely.
Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects.