Hydra Continuous Integration Vulnerability: Unauthenticated Evaluations Impact Availability
CVE-2024-45049

7.5HIGH

Key Information:

Vendor

Nixos

Status
Hydra
Vendor
CVE Published:
27 August 2024

What is CVE-2024-45049?

Hydra, a Continuous Integration service designed for Nix-based projects, contains a vulnerability that enables evaluations to be triggered without proper authentication. This flaw poses a risk to system availability, especially if large-scale evaluations are initiated. To mitigate this vulnerability, users are encouraged to apply the relevant fix from the GitHub commit. For those unable to upgrade, it is advisable to restrict access to the '/api/push' route via a reverse proxy, though this may impede the functionality of the 'Evaluate jobset' feature in the frontend interface.

Affected Version(s)

hydra < f73043378907c2c7e44f633ad764c8bdd1c947d5

References

https://github.com/NixOS/hydra/security/advisories/GHSA-x...
x_refsource_CONFIRM
https://github.com/NixOS/nixpkgs/pull/337766
x_refsource_MISC
https://github.com/NixOS/hydra/commit/f73043378907c2c7e44...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.