CVE-2024-10081

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*

History

14 Nov 2025, 16:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:ericsson:codechecker::::::::
References	~~() https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q -~~	() https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q - Vendor Advisory
Summary		(es) CodeChecker es una herramienta de análisis, una base de datos de defectos y una extensión de visualización para Clang Static Analyzer y Clang Tidy. La omisión de autenticación se produce cuando la URL de la API termina con Autenticación. Esta omisión permite el acceso de superusuario a todos los endpoints de la API excepto Autenticación. Estos endpoints incluyen la capacidad de agregar, editar y eliminar productos, entre otras cosas. Todos los endpoints, excepto /Authentication, se ven afectados por la vulnerabilidad. Este problema afecta a CodeChecker: hasta la versión 6.24.1.
First Time		Ericsson codechecker Ericsson

06 Nov 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-06 15:15

Updated : 2025-11-14 16:36

NVD link : CVE-2024-10081

Mitre link : CVE-2024-10081

CVE.ORG link : CVE-2024-10081

JSON object : View

Products Affected

ericsson

codechecker

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-420

Unprotected Alternate Channel

{"id": "CVE-2024-10081", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2024-11-06T15:15:11.480", "references": [{"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q", "tags": ["Vendor Advisory"], "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-420"}]}], "descriptions": [{"lang": "en", "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \nAuthentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability.\n\nThis issue affects CodeChecker: through 6.24.1."}, {"lang": "es", "value": "CodeChecker es una herramienta de an\u00e1lisis, una base de datos de defectos y una extensi\u00f3n de visualizaci\u00f3n para Clang Static Analyzer y Clang Tidy. La omisi\u00f3n de autenticaci\u00f3n se produce cuando la URL de la API termina con Autenticaci\u00f3n. Esta omisi\u00f3n permite el acceso de superusuario a todos los endpoints de la API excepto Autenticaci\u00f3n. Estos endpoints incluyen la capacidad de agregar, editar y eliminar productos, entre otras cosas. Todos los endpoints, excepto /Authentication, se ven afectados por la vulnerabilidad. Este problema afecta a CodeChecker: hasta la versi\u00f3n 6.24.1."}], "lastModified": "2025-11-14T16:36:09.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "563B9884-8EDE-45C3-8F54-D97B15DFF93C", "versionEndExcluding": "6.24.2"}], "operator": "OR"}]}], "sourceIdentifier": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf"}