Unvalidated Server Impersonation Vulnerability in Conduit Federation API
CVE-2024-6301

7.5HIGH

Key Information:

Vendor

The Conduit Contributors

Status
Conduit
Vendor
CVE Published:
25 June 2024

What is CVE-2024-6301?

The vulnerability in Conduit arises from inadequate validation of the origin in its federation API. This flaw permits any remote server to impersonate users from various servers, particularly impacting educational institutions. Due to this lack of origin verification, an attacker can potentially act as any user, compromising the integrity and security of communications within the affected systems. It is crucial for users and administrators to assess their exposure to this vulnerability and implement necessary protective measures as outlined in the recent release notes.

Affected Version(s)

Conduit 0 < 0.8.0

References

https://gitlab.com/famedly/conduit/-/releases/v0.8.0
https://conduit.rs/changelog/#v0-8-0-2024-06-12

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthias Ahouansou for finding and patching the vulnerability
.
CVE-2024-6301 : Unvalidated Server Impersonation Vulnerability in Conduit Federation API