CVE-2024-6301 - Vulnerability Details - OpenCVE

Description

Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs

Published: 2024-06-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

The Conduit Contributors

Conduit

unaffected

Version	Status	Constraints
`0`	affected	< 0.8.0

Configuration 1 [-]

cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Upgrade to version 0.8.0

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-47418	Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00199.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://conduit.rs/changelog/#v0-8-0-2024-06-12
https://gitlab.com/famedly/conduit/-/releases/v0.8.0

History

Fri, 20 Sep 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Conduit Conduit conduit
CPEs		cpe:2.3:a:conduit:conduit::::::::
Vendors & Products		Conduit Conduit conduit

Subscriptions

Conduit Conduit

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2024-06-25T13:02:20.904Z

Updated: 2024-08-29T15:04:59.937Z

Reserved: 2024-06-25T10:30:45.683Z

Link: CVE-2024-6301

Vulnrichment

Updated: 2024-08-01T21:33:05.348Z

NVD

Status : Modified

Published: 2024-06-25T13:15:51.077

Modified: 2024-11-21T09:49:23.573

Link: CVE-2024-6301

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-346

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6301", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2024-06-25T10:30:45.683Z", "datePublished": "2024-06-25T13:02:20.904Z", "dateUpdated": "2024-08-29T15:04:59.937Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Conduit", "vendor": "The Conduit Contributors", "versions": [{"lessThan": "0.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Matthias Ahouansou for finding and patching the vulnerability"}], "descriptions": [{"lang": "en", "value": "Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "description": "CWE-346: Origin Validation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:04:59.937Z"}, "references": [{"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"}, {"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"}], "solutions": [{"lang": "en", "value": "Upgrade to version 0.8.0"}], "title": "Origin Validation Error in Conduit"}, "adp": [{"affected": [{"vendor": "the_conduit_contributors", "product": "conduit", "cpes": ["cpe:2.3:a:the_conduit_contributors:conduit:0.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.8.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T14:41:07.777353Z", "id": "CVE-2024-6301", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:43:17.696Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.348Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "tags": ["x_transferred"]}, {"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "tags": ["x_transferred"]}, {"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.348Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6301", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-25T14:41:07.777353Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:the_conduit_contributors:conduit:0.8.0:*:*:*:*:*:*:*"], "vendor": "the_conduit_contributors", "product": "conduit", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:43:10.542Z"}}], "cna": {"title": "Origin Validation Error in Conduit", "credits": [{"lang": "en", "type": "finder", "value": "Matthias Ahouansou for finding and patching the vulnerability"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Conduit Contributors", "product": "Conduit", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 0.8.0"}], "references": [{"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"}, {"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"}], "descriptions": [{"lang": "en", "value": "Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:04:59.937Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6301", "state": "PUBLISHED", "dateUpdated": "2024-08-29T15:04:59.937Z", "dateReserved": "2024-06-25T10:30:45.683Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2024-06-25T13:02:20.904Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A42037C-F568-4862-BEE1-FCE796E55CD1", "versionEndExcluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs"}, {"lang": "es", "value": "Falta de validaci\u00f3n de origen en la API de federaci\u00f3n en Conduit, lo que permite que cualquier servidor remoto se haga pasar por cualquier usuario de cualquier servidor en la mayor\u00eda de las EDU."}], "id": "CVE-2024-6301", "lastModified": "2024-11-21T09:49:23.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-25T13:15:51.077", "references": [{"source": "cve@gitlab.com", "tags": ["Release Notes"], "url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"}, {"source": "cve@gitlab.com", "tags": ["Release Notes"], "url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "cve@gitlab.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}]}