CVE-2024-10082

{"id": "CVE-2024-10082", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}]}, "published": "2024-11-06T15:15:11.760", "references": [{"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-fpm5-2wcj-vfr7", "tags": ["Vendor Advisory"], "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-330"}, {"lang": "en", "value": "CWE-842"}]}], "descriptions": [{"lang": "en", "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \nAuthentication method confusion allows logging in as the built-in root user from an external service. The built-in root user up until 6.24.1 is generated in a weak manner, cannot be disabled, and has universal access.This vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything that can be controlled via the web interface.\u00a0The attacker needs to acquire the username of the root user to be successful.\n\nThis issue affects CodeChecker: through 6.24.1."}, {"lang": "es", "value": "CodeChecker es una herramienta de an\u00e1lisis, una base de datos de defectos y una extensi\u00f3n de visualizaci\u00f3n para Clang Static Analyzer y Clang Tidy. La confusi\u00f3n del m\u00e9todo de autenticaci\u00f3n permite iniciar sesi\u00f3n como el usuario root integrado desde un servicio externo. El usuario root integrado hasta la versi\u00f3n 6.24.1 se genera de forma d\u00e9bil, no se puede deshabilitar y tiene acceso universal. Esta vulnerabilidad permite a un atacante que puede crear una cuenta en un servicio de autenticaci\u00f3n externo habilitado iniciar sesi\u00f3n como el usuario root y acceder y controlar todo lo que se puede controlar a trav\u00e9s de la interfaz web. El atacante necesita adquirir el nombre de usuario del usuario root para tener \u00e9xito. Este problema afecta a CodeChecker: hasta la versi\u00f3n 6.24.1."}], "lastModified": "2025-11-14T17:24:08.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "563B9884-8EDE-45C3-8F54-D97B15DFF93C", "versionEndExcluding": "6.24.2"}], "operator": "OR"}]}], "sourceIdentifier": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf"}