CVE-2024-6299

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://conduit.rs/changelog/#v0-8-0-2024-06-12	Release Notes
https://gitlab.com/famedly/conduit/-/releases/v0.8.0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*

History

20 Sep 2024, 19:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.8~~	v2 : unknown v3 : 3.7
Summary		(es) Falta de consideración de la caducidad de la clave al validar firmas en Conduit, lo que permite a un atacante que ha comprometido una clave caducada falsificar solicitudes como servidor remoto, así como PDU con marcas de tiempo posteriores a la fecha de caducidad.
CPE		cpe:2.3:a:conduit:conduit::::::::
CWE		NVD-CWE-Other
References	~~() https://conduit.rs/changelog/#v0-8-0-2024-06-12 -~~	() https://conduit.rs/changelog/#v0-8-0-2024-06-12 - Release Notes
References	~~() https://gitlab.com/famedly/conduit/-/releases/v0.8.0 -~~	() https://gitlab.com/famedly/conduit/-/releases/v0.8.0 - Release Notes
First Time		Conduit conduit Conduit

25 Jun 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-25 13:15

Updated : 2024-09-20 19:24

NVD link : CVE-2024-6299

Mitre link : CVE-2024-6299

CVE.ORG link : CVE-2024-6299

JSON object : View

Products Affected

conduit

conduit

CWE

NVD-CWE-Other CWE-324

Use of a Key Past its Expiration Date

{"id": "CVE-2024-6299", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2024-06-25T13:15:50.587", "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "tags": ["Release Notes"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "tags": ["Release Notes"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-324"}]}], "descriptions": [{"lang": "en", "value": "Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date"}, {"lang": "es", "value": "Falta de consideraci\u00f3n de la caducidad de la clave al validar firmas en Conduit, lo que permite a un atacante que ha comprometido una clave caducada falsificar solicitudes como servidor remoto, as\u00ed como PDU con marcas de tiempo posteriores a la fecha de caducidad."}], "lastModified": "2024-09-20T19:24:13.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A42037C-F568-4862-BEE1-FCE796E55CD1", "versionEndExcluding": "0.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}