GHSA-v46j-h43h-rwrm

Опубликовано: 25 окт. 2024

Источник: github

Github: Прошло ревью

CVSS4: 7.1

CVSS3: 8.8

Описание

Autolab Misconfigured Reset Password Permissions

Impact

For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.

Patches

This is fixed in v3.0.1.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/autolab/Autolab/ Email us at autolab-dev@andrew.cmu.edu

Ссылки

Пакеты

Наименование

Autolab

rubygems

Затронутые версииВерсия исправления

= 3.0.0

3.0.1

EPSS

Процентиль: 50%

0.00274

Низкий

7.1 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2024-49376

Дефекты

CWE-287

CWE-863

Связанные уязвимости

CVE-2024-49376

CVSS3: 8.8

nvd

больше 1 года назад

Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.

EPSS

Процентиль: 50%

0.00274

Низкий

7.1 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2024-49376

Дефекты

CWE-287

CWE-863