{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.060Z", "datePublished": "2024-03-11T21:14:22.675Z", "dateUpdated": "2024-08-02T00:48:49.158Z"}, "containers": {"cna": {"title": "API key leak in codeium-chrome", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"}], "affected": [{"vendor": "Exafunction", "product": "codeium-chrome", "versions": [{"version": "<= 1.2.52", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T21:14:22.675Z"}, "descriptions": [{"lang": "en", "value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."}], "source": {"advisory": "GHSA-8c7j-2h97-q63p", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T15:50:10.792594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:04:00.650Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.158Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.158Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T15:50:10.792594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.981Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "API key leak in codeium-chrome", "source": {"advisory": "GHSA-8c7j-2h97-q63p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Exafunction", "product": "codeium-chrome", "versions": [{"status": "affected", "version": "<= 1.2.52"}]}], "references": [{"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T21:14:22.675Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28120", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:48:49.158Z", "dateReserved": "2024-03-04T14:19:14.060Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-11T21:14:22.675Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."}, {"lang": "es", "value": "codeium-chrome es un complemento de finalizaci\u00f3n de c\u00f3digo fuente abierto para el navegador web Chrome. El trabajador de servicio de la extensi\u00f3n codeium-chrome no verifica al remitente cuando recibe un mensaje externo. Esto permite a un atacante alojar un sitio web que robar\u00e1 la clave API de Codeium del usuario y, por lo tanto, se har\u00e1 pasar por el usuario en el servidor de autocompletar backend. Esta cuesti\u00f3n no se ha abordado. Se recomienda a los usuarios que supervisen el uso de su clave API."}], "id": "CVE-2024-28120", "lastModified": "2024-03-12T12:40:13.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-11T22:15:55.707", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}