PT-2026-28312 · Synopsys · Coverity Connect
Huong Kieu
·
Publicado
2026-03-27
·
Atualizado
2026-03-27
·
CVE-2026-1496
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Coverity Connect (affected versions not specified)
Description
The authentication logic in the command line tooling for Coverity Connect is missing an error handler, leading to a potential authentication bypass. An attacker with access to the
/token API endpoint and knowledge of a valid username can craft a specific HTTP request to bypass authentication. Successful exploitation allows an attacker to assume the privileges of the legitimate user. The /token API endpoint is involved in this issue. The username is a vulnerable parameter.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
IDOR
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Coverity Connect