CVE-2024-10081

Advisory

Affected versions of the codechecker package are vulnerable to Authentication Bypass due to improper URL path validation in the API endpoint handling. The vulnerability occurs when API URLs end with specific strings like "Authentication", "Configuration", or "ServerInfo", which causes the authentication mechanism to be bypassed and grants superuser privileges to all API endpoints except the Authentication endpoint itself. An unauthenticated remote attacker can exploit this vulnerability by crafting API requests with valid CodeChecker endpoints that terminate with these specific strings, allowing them to query, add, modify, or delete products on the CodeChecker server without any authentication.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/Ericsson/codechecker/commit/ad41702e3108e4b92ae5d0143a5b961cc34195eb
• https://github.com/advisories/GHSA-f3f8-vx3w-hp5q
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10081