CVE-2024-23687 - Vulnerability Details - OpenCVE

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Openlibraryfoundation	Mod-data-export-spring

Configuration 1 [-]

OR	cpe:2.3:a:openlibraryfoundation:mod-data-export-spring::::::::
	cpe:2.3:a:openlibraryfoundation:mod-data-export-spring::::::::

No data.

References

Link	Providers
https://github.com/advisories/GHSA-vf78-3q9f-92g3
https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446
https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3
https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3
https://wiki.folio.org/x/hbMMBw

History

Wed, 13 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-19T21:15:18.503Z

Updated: 2024-11-13T17:00:45.040Z

Reserved: 2024-01-19T17:35:09.985Z

Link: CVE-2024-23687

Vulnrichment

Updated: 2024-08-01T23:06:25.426Z

NVD

Status : Modified

Published: 2024-01-19T22:15:08.517

Modified: 2024-11-21T08:58:10.590

Link: CVE-2024-23687

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23687", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2024-01-19T17:35:09.985Z", "datePublished": "2024-01-19T21:15:18.503Z", "dateUpdated": "2024-11-13T17:00:45.040Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.folio:mod-data-export-spring", "versions": [{"lessThan": "1.5.4", "status": "affected", "version": "0", "versionType": "maven"}, {"lessThan": "2.0.2", "status": "affected", "version": "2.0.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.</p>"}], "value": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.\n\n"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2024-01-19T21:15:18.503Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["patch"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"tags": ["related"], "url": "https://wiki.folio.org/x/hbMMBw"}, {"tags": ["third-party-advisory"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}], "source": {"discovery": "INTERNAL"}, "title": "FOLIO mod-data-export-spring Hard-Coded Credentials"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.426Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"tags": ["related", "x_transferred"], "url": "https://wiki.folio.org/x/hbMMBw"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-24T19:24:25.245441Z", "id": "CVE-2024-23687", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T17:00:45.040Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446", "tags": ["patch", "x_transferred"]}, {"url": "https://wiki.folio.org/x/hbMMBw", "tags": ["related", "x_transferred"]}, {"url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.426Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-01-24T19:24:25.245441Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T17:00:40.997Z"}}], "cna": {"title": "FOLIO mod-data-export-spring Hard-Coded Credentials", "source": {"discovery": "INTERNAL"}, "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "1.5.4", "versionType": "maven"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.2", "versionType": "maven"}], "packageName": "org.folio:mod-data-export-spring", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3", "tags": ["vendor-advisory"]}, {"url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446", "tags": ["patch"]}, {"url": "https://wiki.folio.org/x/hbMMBw", "tags": ["related"]}, {"url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3", "tags": ["third-party-advisory"]}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.</p>", "base64": false}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2024-01-19T21:15:18.503Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23687", "state": "PUBLISHED", "dateUpdated": "2024-11-13T17:00:45.040Z", "dateReserved": "2024-01-19T17:35:09.985Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2024-01-19T21:15:18.503Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openlibraryfoundation:mod-data-export-spring:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF023FD8-0E0B-4208-BDB3-8F9F73A25B45", "versionEndExcluding": "1.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:openlibraryfoundation:mod-data-export-spring:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC95B1BE-9BE8-4C31-B57B-9E4E09E14745", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.\n\n"}, {"lang": "es", "value": "Las credenciales codificadas en las versiones FOLIO mod-data-export-spring anteriores a 1.5.4 y de 2.0.0 a 2.0.2 permiten a usuarios no autenticados acceder a API cr\u00edticas, modificar datos de usuario, modificar configuraciones, incluido el inicio de sesi\u00f3n \u00fanico, y manipular tarifas/multas."}], "id": "CVE-2024-23687", "lastModified": "2024-11-21T08:58:10.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T22:15:08.517", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.folio.org/x/hbMMBw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-vf78-3q9f-92g3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.folio.org/x/hbMMBw"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}