CVE-2024-42056

Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:retool:retool:*:*:*:*:*:*:*:*

History

26 Aug 2024, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time Retool
Retool retool
CWE CWE-532
References () https://docs.retool.com/disclosures/cve-2024-42056 - () https://docs.retool.com/disclosures/cve-2024-42056 - Vendor Advisory
References () https://docs.retool.com/releases - () https://docs.retool.com/releases - Release Notes
CPE cpe:2.3:a:retool:retool:*:*:*:*:*:*:*:*

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) Retool (empresa autohospedada) hasta 3.40.0 inserta credenciales de autenticación de recursos en los datos enviados. Las credenciales de los usuarios con permisos de "Uso" pueden ser descubiertas (por un atacante autenticado) a través del endpoint /api/resources. La primera versión afectada es la 3.18.1.

22 Aug 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 01:15

Updated : 2024-08-26 15:15


NVD link : CVE-2024-42056

Mitre link : CVE-2024-42056

CVE.ORG link : CVE-2024-42056


JSON object : View

Products Affected

retool

  • retool
CWE
CWE-532

Insertion of Sensitive Information into Log File