DIRAC's TokenManager does not check permissions on cached tokens · CVE-2024-24825 · GitHub Advisory Database · GitHub

DIRAC's TokenManager does not check permissions on cached tokens

Critical severity GitHub Reviewed Published Feb 8, 2024 in DIRACGrid/DIRAC • Updated Mar 25, 2024

Package

DIRAC (pip)

Affected versions

>= 8.0.0, < 8.0.37

Patched versions

8.0.37

Description

Impact

Any user could get a token that has been requested by another user/agent

Patches

The vulnerability is fixed in version 8.0.37.

Workarounds

None

References

References

chrisburr published to DIRACGrid/DIRAC

Feb 8, 2024

Published to the GitHub Advisory Database Feb 8, 2024

Reviewed Feb 8, 2024

Published by the National Vulnerability Database

Feb 9, 2024

Last updated Mar 25, 2024

Severity

Critical

9.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N