** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.

An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.02243}

epss

{'score': 0.02199}


Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.01039}

epss

{'score': 0.02243}


Thu, 10 Jul 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache aurora
CPEs cpe:2.3:a:apache:aurora:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache aurora

Thu, 13 Feb 2025 18:00:00 +0000

Type Values Removed Values Added
Description ** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-04-22T16:13:10.660Z

Reserved: 2024-02-27T09:55:31.582Z

Link: CVE-2024-27905

cve-icon Vulnrichment

Updated: 2024-08-02T00:41:55.810Z

cve-icon NVD

Status : Analyzed

Published: 2024-02-27T15:15:07.930

Modified: 2025-07-10T12:23:26.367

Link: CVE-2024-27905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.