CVE-2024-5014: 
WhatsUp Gold vulnerability analysis and mitigation

A Server Side Request Forgery (SSRF) vulnerability was identified in Progress Software's WhatsUp Gold versions prior to 2023.1.3, specifically in the GetASPReport feature. The vulnerability, tracked as CVE-2024-5014, was discovered on March 7, 2024, and publicly disclosed on June 25, 2024. This security flaw affects the WhatsUp Gold network monitoring software and allows authenticated users to retrieve ASP reports from HTML forms (ZDI Advisory, CVE Mitre).

The vulnerability exists within the GetASPReport method and stems from inadequate authorization controls prior to allowing access to functionality. It has been assigned a CVSS score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating a high severity level. The technical assessment confirms that authentication is required to exploit this vulnerability (ZDI Advisory).

The exploitation of this vulnerability could allow attackers to disclose sensitive information in the context of the application. The impact is particularly significant as it affects the network monitoring capabilities of WhatsUp Gold, potentially exposing critical system information to authenticated users (Rapid7).

Progress Software has released version 2023.1.3 of WhatsUp Gold to address this vulnerability. Users are advised to upgrade to this latest version to mitigate the risk. The fix was released as part of the June 2024 security bulletin (Progress Community).