CVE-2024-10082

Name of the Vulnerable Software and Affected Versions CodeChecker versions through 6.24.1

Description The issue is related to authentication method confusion, allowing an attacker to log in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access. This allows an attacker who can create an account on an enabled external authentication service to log in as the root user and access and control everything via the web interface. The attacker needs to acquire the username of the root user to be successful. The username of the root user can be found in the root.user file in the CodeChecker configuration directory.

Recommendations For CodeChecker versions through 6.24.1, update to a version later than 6.24.1 to resolve the issue. As a temporary workaround, consider restricting access to the external authentication services or monitoring the CodeChecker instance for signs of compromise. Additionally, review the logs for signs of unauthorized access and consider disabling the external authentication services until the issue is resolved.