PT-2024-17656 · Open Design Alliance · Open Design Alliance Cde Inweb Sdk
Dhiyaneshdk
+1
·
Published
2024-12-12
·
Updated
2025-09-08
·
CVE-2024-12564
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Open Design Alliance CDE inWEB SDK versions prior to 2025.3
Description
A vulnerability was discovered that allows exposure of sensitive information to an unauthorized actor. Installing CDE Server with default settings enables unauthorized users to visit the Prometheus metrics page, which can help attackers understand more about the target application and aid in further investigation and exploitation.
Recommendations
For versions prior to 2025.3, consider disabling access to the Prometheus metrics page as a temporary workaround until a patch is available. Restrict access to the CDE Server to minimize the risk of exploitation. Avoid using default settings when installing CDE Server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Incorrect Default Permissions
Information Disclosure
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Open Design Alliance Cde Inweb Sdk