CVE-2024-23639

EPSS 0.04%
Veröffentlicht 09.02.2024 01:15:09
Zuletzt bearbeitet 21.11.2024 08:58:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Objectcomputing ≫ Micronaut Version < 3.8.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.103

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.1	2.5	2.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-15 External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user.

CWE-610 Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

CWE-664 Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Not Applicable

https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-23639

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23639

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23639

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-23639