CVE-2024-41254

An issue was discovered in litestream v0.3.13. The usage of the ssh.InsecureIgnoreHostKey() disables host key verification, possibly allowing attackers to obtain sensitive information via a man-in-the-middle attack.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:litestream:litestream:*:*:*:*:*:*:*:*

History

29 Oct 2024, 21:35

Type Values Removed Values Added
CWE CWE-639

15 Aug 2024, 13:15

Type Values Removed Values Added
First Time Litestream litestream
Litestream
CWE CWE-347
CPE cpe:2.3:a:litestream:litestream:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
References () https://gist.github.com/nyxfqq/d857f268a53aa62402655c8dcd95c68f - () https://gist.github.com/nyxfqq/d857f268a53aa62402655c8dcd95c68f - Third Party Advisory

01 Aug 2024, 12:42

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en litestream v0.3.13. El uso de ssh.InsecureIgnoreHostKey() deshabilita la verificación de la clave del host, lo que posiblemente permita a los atacantes obtener información confidencial a través de un ataque de man-in-the-middle.

31 Jul 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-31 21:15

Updated : 2024-10-29 21:35


NVD link : CVE-2024-41254

Mitre link : CVE-2024-41254

CVE.ORG link : CVE-2024-41254


JSON object : View

Products Affected

litestream

  • litestream
CWE
CWE-347

Improper Verification of Cryptographic Signature

CWE-639

Authorization Bypass Through User-Controlled Key