Lucene search

GitHub_MCVE-2024-32470

HistoryApr 18, 2024 - 3:15 p.m.

CVE-2024-32470

2024-04-1815:15:30

CWE-863

GitHub_M

web.nvd.nist.gov

tolgee

localization

admin

api key

bypass

vulnerability

permission check

v3.57.2

v3.57.4

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

15.5%

JSON

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.

Affected configurations

Vulners

Node

tolgeetolgee_platformRange3.57.2–3.57.4

VendorProductVersionCPE
tolgeetolgee_platform*cpe:2.3:a:tolgee:tolgee_platform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tolgee	tolgee_platform	*	cpe:2.3:a:tolgee:tolgee_platform::::::::

CNA Affected

[
  {
    "vendor": "tolgee",
    "product": "tolgee-platform",
    "versions": [
      {
        "version": ">= 3.57.2, < 3.57.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234

github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw

github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for CVE-2024-32470