CVE-2024-10082Authentication Bypass by Primary Weakness in Codechecker

CWE-305Authentication Bypass by Primary WeaknessCWE-330Use of Insufficiently Random ValuesCWE-842Placement of User into Incorrect Group5 documents4 sources
Severity
9.0CRITICALNVD
CNA8.7
EPSS
0.4%
top 39.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ericsson Codechecker
Timeline
PublishedNov 6

Description

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication method confusion allows logging in as the built-in root user from an external service. The built-in root user up until 6.24.1 is generated in a weak manner, cannot be disabled, and has universal access.This vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control ev

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages3 packages

NVDericsson/codechecker< 6.24.2
PyPIericsson/codechecker< 6.24.2
CVEListV5ericsson/codechecker6.24.1

🔴Vulnerability Details

4
OSV
codechecker authentication method confusion vulnerability allows logging in as the built-in root user from an external service2024-11-06
GHSA
codechecker authentication method confusion vulnerability allows logging in as the built-in root user from an external service2024-11-06
CVEList
CVE-2024-10082: CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy2024-11-06
OSV
CVE-2024-10082: CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy2024-11-06
CVE-2024-10082 — Ericsson Codechecker vulnerability | cvebase