CVE-2024-8509

Опубликовано: 06 сент. 2024

Источник: redhat

CVSS3: 7.5

Описание

A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.

Отчет

This vulnerability represents a important severity issue due to its direct impact on the API's authentication and authorization mechanisms. By failing to properly validate the Bearer token in the Authorization header, the API inadvertently allows unauthorized users to access protected resources, leading to potential data breaches and unauthorized operations. The absence of token verification bypasses the core security controls designed to restrict access, thereby exposing sensitive data and system functionalities to malicious actors.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-285

https://bugzilla.redhat.com/show_bug.cgi?id=2310406Migration Toolkit for Virtualization: forklift-controller: Empty bearer token may perform authentication

7.5 High

CVSS3

Связанные уязвимости

CVE-2024-8509

CVSS3: 7.5

nvd

больше 1 года назад

GHSA-5xmf-5w3g-qm87

CVSS3: 7.5

github

больше 1 года назад

BDU:2024-07247

CVSS3: 7.5

fstec

больше 1 года назад

Уязвимость компонента Forklift Controller инструмента миграции для виртуализации Red Hat Migration Toolkit for Virtualization, позволяющая нарушителю раскрыть защищаемую информации

7.5 High

CVSS3