{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8509", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-06T12:47:08.205Z", "datePublished": "2024-09-06T15:17:49.225Z", "dateUpdated": "2024-09-14T02:11:26.790Z"}, "containers": {"cna": {"title": "Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."}], "affected": [{"vendor": "Red Hat", "product": "Migration Toolkit for Virtualization 2.6", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "migration-toolkit-virtualization/mtv-api-rhel9", "defaultStatus": "affected", "versions": [{"version": "2.6.6-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9", "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6487", "name": "RHSA-2024:6487", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8509", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406", "name": "RHBZ#2310406", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-06T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "Improper Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-285: Improper Authorization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-09-06T12:47:14.382000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-06T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Andrew Block (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-14T02:11:26.790Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T15:33:00.374909Z", "id": "CVE-2024-8509", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T15:33:14.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-06T15:33:00.374909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T15:33:08.837Z"}}], "cna": {"title": "Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication", "credits": [{"lang": "en", "value": "This issue was discovered by Andrew Block (Red Hat)."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9", "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8"], "vendor": "Red Hat", "product": "Migration Toolkit for Virtualization 2.6", "versions": [{"status": "unaffected", "version": "2.6.6-2", "lessThan": "*", "versionType": "rpm"}], "packageName": "migration-toolkit-virtualization/mtv-api-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-06T12:47:14.382000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-06T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-09-06T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6487", "name": "RHSA-2024:6487", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8509", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406", "name": "RHBZ#2310406", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-14T02:11:26.790Z"}, "x_redhatCweChain": "CWE-285: Improper Authorization"}}, "cveMetadata": {"cveId": "CVE-2024-8509", "state": "PUBLISHED", "dateUpdated": "2024-09-14T02:11:26.790Z", "dateReserved": "2024-09-06T12:47:08.205Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-06T15:17:49.225Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Forklift Controller. No hay verificaci\u00f3n con respecto al encabezado de autorizaci\u00f3n, excepto para garantizar que utilice autenticaci\u00f3n de portador. Sin un encabezado de autorizaci\u00f3n y alg\u00fan tipo de token de portador, se produce un error 401. La presencia de un valor de token proporciona una respuesta 200 con la informaci\u00f3n solicitada."}], "id": "CVE-2024-8509", "lastModified": "2024-09-09T19:15:14.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-06T16:15:03.583", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6487"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-8509"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Andrew Block (Red Hat).", "affected_release": [{"advisory": "RHSA-2024:6487", "cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9", "package": "migration-toolkit-virtualization/mtv-api-rhel9:2.6.6-2", "product_name": "Migration Toolkit for Virtualization 2.6", "release_date": "2024-09-09T00:00:00Z"}], "bugzilla": {"description": "Migration Toolkit for Virtualization: forklift-controller: Empty bearer token may perform authentication", "id": "2310406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-285", "details": ["A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.", "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8509", "public_date": "2024-09-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8509\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8509"], "statement": "This vulnerability represents a important severity issue due to its direct impact on the API's authentication and authorization mechanisms. By failing to properly validate the Bearer token in the Authorization header, the API inadvertently allows unauthorized users to access protected resources, leading to potential data breaches and unauthorized operations. The absence of token verification bypasses the core security controls designed to restrict access, thereby exposing sensitive data and system functionalities to malicious actors.", "threat_severity": "Important"}