CVE-2024-32470

Tolgee' API keys created by server admin users bypass the permission check

CVSS 6.5 MEDIUMEPSS 0.6%CWE-863

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 abr 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Produtos afetados

tolgee · tolgee-platform

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234 https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc