CVE-2024-39891

Warnung

Medienbericht

EPSS 23.19%
Veröffentlicht 02.07.2024 18:15:03
Zuletzt bearbeitet 05.11.2025 19:11:21
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Twilio ≫ Authy SwPlatformiphone_os Version < 26.1.0

Twilio ≫ Authy Authenticator SwPlatformandroid Version < 25.1.0

23.07.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Twilio Authy Information Disclosure Vulnerability

Schwachstelle

Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	23.19%	0.957

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cve@mitre.org	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://cwe.mitre.org/data/definitions/203.html

Technical Description

https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

Press/Media Coverage

https://www.twilio.com/docs/usage/security/reporting-vulnerabilities

Product

https://www.twilio.com/en-us/changelog

Release Notes

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2024-39891

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39891

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39891

EUVD