Access Control Flaw in Atos Eviden IDRA Affects Digital Identity Solutions
CVE-2024-39327

9.9CRITICAL

Key Information:

Vendor

Atos

Status
Eviden IDRA
Vendor
CVE Published:
18 February 2025

What is CVE-2024-39327?

CVE-2024-39327 is an access control vulnerability identified in Atos Eviden IDRA prior to version 2.6.1. Atos Eviden IDRA is a digital identity solution designed to streamline and secure identity management processes. The flaw relates to improper access controls, which could potentially allow unauthorized users to illegitimately obtain Certificate Authority (CA) signing capabilities. This vulnerability can expose organizations to significant risk, particularly in contexts where secure digital identity verification is critical.

Technical Details

The vulnerability arises from an incorrect implementation of access control measures within the Atos Eviden IDRA software. Specifically, users with insufficient privileges might be able to bypass the intended security mechanisms, leading to the unauthorized issuance of CA signatures. This opens the door for malicious actors to leverage these capabilities for fraudulent activities, potentially affecting the integrity of digital transactions, user authentication processes, and overall data security.

Potential impact of CVE-2024-39327

  1. Unauthorized CA Signing: The most direct consequence of this vulnerability is the potential for unauthorized individuals to obtain CA signing rights. This can lead to the creation of counterfeit certificates, thereby undermining the trustworthiness of digital identity systems.

  2. Data Breach Risk: Exploitation of this vulnerability could facilitate broader access to sensitive data and systems, increasing the likelihood of data breaches, which could have disastrous repercussions for both organizations and their customers.

  3. Reputational Damage: Organizations affected by this vulnerability may suffer significant reputational harm, particularly if the exploitation leads to a high-profile incident involving compromised digital identities or fraudulent activities. The loss of trust can have long-lasting effects on customer relationships and future business opportunities.

References

https://eviden.com/solutions/digital-security/digital-ide...
https://support.bull.com/ols/product/security/psirt/secur...

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.