CVE-2024-10082

Advisory

Affected versions of the codechecker package are vulnerable to Authentication Method Confusion due to improper validation of authentication sources for the built-in root user account. The vulnerability exists in versions through 6.24.1, where an auto-generated superuser account with a weakly generated username is stored in the root.user file cannot be disabled and is unconditionally granted superuser permissions regardless of the authentication service used. An attacker who can create an account on any enabled external authentication service (such as LDAP or PAM) can exploit this vulnerability by registering with the same username as the built-in root user, thereby gaining full administrative access to the CodeChecker instance and control over all functionality accessible via the web interface.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-fpm5-2wcj-vfr7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10082