PT-2024-29340 · Casdoor · Casdoor

Yuexi Zhang

Published

2024-08-01

Updated

2024-08-16

CVE-2024-41264

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions casdoor version 1.636.0

Description An issue in casdoor allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method, which disables host key verification. This method is used in github.com/casdoor/casdoor.

Recommendations For casdoor version 1.636.0, consider disabling the use of the ssh.InsecureIgnoreHostKey() method to prevent host key verification bypass until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Information Disclosure

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-297CWE-295

Related Identifiers

CVE-2024-41264

GHSA-67FW-W8F2-88WP

GO-2024-3026

Affected Products

Casdoor

PT-2024-29340 · Casdoor · Casdoor

CVE-2024-41264

Weakness Enumeration

Related Identifiers

Affected Products

References · 12