@valtimo/components exposes access token to form.io
CVE-2024-34706

9.8CRITICAL

Key Information:

Vendor: Valtimo-platform
Status: Valtimo-frontend-libraries
Vendor: CVE Published:; 14 May 2024

🔔 Create Valtimo-platform Vulnerability Alert

What is CVE-2024-34706?

Valtimo is an open-source business process and case management platform that has been identified with a vulnerability where user access tokens (JWT) can be exposed through the x-jwt-token header when a form is accessed. This misconfiguration of the Form.io component permits attackers with network traffic access on api.form.io to collect sensitive personal information or to perform unauthorized API requests on behalf of the logged-in users. The exploitation requires that the attacker has visibility on the token’s header logging and can access the Valtimo API within the access token's time-to-live, which defaults to 5 minutes in Keycloak. Versions 10.8.4, 11.1.6, and 11.2.2 have been released with patches addressing this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch