Lucene search
GitHub_MCVELIST:CVE-2024-32470HistoryApr 18, 2024 - 3:05 p.m.
CVE-2024-32470 Tolgee' API keys created by server admin users bypass the permission check
2024-04-1815:05:26
CWE-863
GitHub_M
www.cve.org
tolgee
api key
bypass
permission check
v3.57.2
v3.57.4
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
0.0004 Low
EPSS
Percentile
15.8%
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
CNA Affected
[
{
"vendor": "tolgee",
"product": "tolgee-platform",
"versions": [
{
"version": ">= 3.57.2, < 3.57.4",
"status": "affected"
}
]
}
]Related
cve
cve
CVE-2024-32470
2024-04-18 15:15:30
nvd
nvd
CVE-2024-32470
2024-04-18 15:15:30
osv
osv
CVE-2024-32466
2024-04-18 15:15:30
CVE-2024-32470
2024-04-18 15:15:30
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
0.0004 Low
EPSS
Percentile
15.8%
Related for CVELIST:CVE-2024-32470