PT-2024-39869 · Chef · Builder-Api
Published
2024-10-28
·
Updated
2024-10-29
·
CVE-2024-9825
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Chef Habitat builder-api versions prior to habitat/builder-api/10315/20240913162802
Description
The issue allows unauthorized deletion of personal tokens due to an indirect object reference (IDOR) flaw. This is specifically related to the builder-api habitat package, which is consumed by Habitat builder as a dependency.
Recommendations
For versions prior to habitat/builder-api/10315/20240913162802, update to habitat/builder-api/10315/20240913162802 or a subsequent version to resolve the issue. It is recommended to always use the on-prem stable channel.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Builder-Api