CVE-2024-45036

Name of the Vulnerable Software and Affected Versions Tophat versions prior to 1.10.0

Description The issue is related to an Improper Access Control vulnerability that can expose the TOPHAT APP TOKEN token stored in ~/.tophatrc through the use of a malicious Tophat URL controlled by the attacker. This token can then be used to access internal build artifacts for mobile applications that are not intended to be public. The vulnerability allows Tophat to send this token to the attacker's server without any checks to ensure that the server is trusted.

Recommendations For versions prior to 1.10.0, update to version 1.10.0 or later as soon as possible, as there are no workarounds for this issue. Systems that have implemented the Tophat API endpoint for requesting artifacts should cease use and invalidate the token immediately.