DriveLock Enterprise Service Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in DriveLock versions 24.1 prior to 24.1.6, 24.2 prior to 24.2.7, and 25.1 prior to 25.1.5. This issue arises from inadequate permission checks in the DriveLock Enterprise Service API, which could enable authenticated users to access the computer count of other tenants. The vulnerability primarily impacts cloud customers.

Impact

Exploitation of this vulnerability allows authenticated users to access information about the number of computers belonging to other tenants, which could be used for unauthorized insights into tenant activities or resource allocations.

Remediation

Users are advised to update to DriveLock version 25.1.5, the first version that addresses this vulnerability. It is also recommended to use the latest release of DriveLock for ongoing improvements and security enhancements.