CVE-2024-10081

Name of the Vulnerable Software and Affected Versions CodeChecker versions through 6.24.1

Description Authentication bypass occurs when the API URL ends with Authentication, allowing superuser access to all API endpoints other than /Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication endpoint, are affected by the issue. This bypass enables unauthenticated users to access all API functionality, including querying, adding, changing, and deleting products contained on the CodeChecker server without authentication.

Recommendations For CodeChecker versions through 6.24.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to all API endpoints except /Authentication to minimize the risk of exploitation. Additionally, review logs for signs of exploit by looking for the pattern where the URL starts with 'v' and contains a valid CodeChecker endpoint, but ends in Authentication, Configuration, or ServerInfo and was made by an Anonymous user. Isolate vulnerable systems until patched.