CVE-2024-12056

The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.

CVSS

No CVSS.

References

Link	Resource
https://www.pcvue.com/security/security/#SB2024-4

Configurations

No configuration.

History

04 Dec 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-04 15:15

Updated : 2024-12-04 15:15

NVD link : CVE-2024-12056

Mitre link : CVE-2024-12056

CVE.ORG link : CVE-2024-12056

JSON object : View

Products Affected

No product.

CWE

CWE-358

Improperly Implemented Security Check for Standard

{"id": "CVE-2024-12056", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "USER", "baseScore": 2.3, "automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "LOW", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-12-04T15:15:09.700", "references": [{"url": "https://www.pcvue.com/security/security/#SB2024-4", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "description": [{"lang": "en", "value": "CWE-358"}]}], "descriptions": [{"lang": "en", "value": "The Client secret is not checked when using the OAuth Password grant type.\n\nBy exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.\nExploitation requires valid credentials and does not permit the attacker to bypass user privileges."}], "lastModified": "2024-12-04T15:15:09.700", "sourceIdentifier": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}

CVE-2024-12056

JSON object

Attach tags to CVE-2024-12056

Attach tags to `CVE-2024-12056`