CVE-2024-23687 - OpenCVE

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openlibraryfoundation	Mod-data-export-spring

Configuration 1 [-]

OR	cpe:2.3:a:openlibraryfoundation:mod-data-export-spring::::::::
	cpe:2.3:a:openlibraryfoundation:mod-data-export-spring::::::::

No data.

References

Link	Providers
https://github.com/advisories/GHSA-vf78-3q9f-92g3
https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446
https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3
https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3
https://wiki.folio.org/x/hbMMBw

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-19T21:15:18.503Z

Updated: 2024-08-01T23:06:25.426Z

Reserved: 2024-01-19T17:35:09.985Z

Link: CVE-2024-23687

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-19T22:15:08.517

Modified: 2024-01-26T16:54:13.900

Link: CVE-2024-23687

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23687", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2024-01-19T17:35:09.985Z", "datePublished": "2024-01-19T21:15:18.503Z", "dateUpdated": "2024-08-01T23:06:25.426Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.folio:mod-data-export-spring", "versions": [{"lessThan": "1.5.4", "status": "affected", "version": "0", "versionType": "maven"}, {"lessThan": "2.0.2", "status": "affected", "version": "2.0.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.</p>"}], "value": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.\n\n"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2024-01-19T21:15:18.503Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["patch"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"tags": ["related"], "url": "https://wiki.folio.org/x/hbMMBw"}, {"tags": ["third-party-advisory"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}], "source": {"discovery": "INTERNAL"}, "title": "FOLIO mod-data-export-spring Hard-Coded Credentials"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.426Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"tags": ["related", "x_transferred"], "url": "https://wiki.folio.org/x/hbMMBw"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openlibraryfoundation:mod-data-export-spring:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF023FD8-0E0B-4208-BDB3-8F9F73A25B45", "versionEndExcluding": "1.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:openlibraryfoundation:mod-data-export-spring:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC95B1BE-9BE8-4C31-B57B-9E4E09E14745", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.\n\n"}, {"lang": "es", "value": "Las credenciales codificadas en las versiones FOLIO mod-data-export-spring anteriores a 1.5.4 y de 2.0.0 a 2.0.2 permiten a usuarios no autenticados acceder a API cr\u00edticas, modificar datos de usuario, modificar configuraciones, incluido el inicio de sesi\u00f3n \u00fanico, y manipular tarifas/multas."}], "id": "CVE-2024-23687", "lastModified": "2024-01-26T16:54:13.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T22:15:08.517", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.folio.org/x/hbMMBw"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}