Forklift Controller Vulnerability: Missing Authorization Header Security
CVE-2024-8509

7.5HIGH

Key Information:

Vendor
Red Hat
Status
Migration Toolkit For Virtualization 2.6
Vendor
CVE Published:
6 September 2024

Summary

A vulnerability exists in Forklift Controller that allows attackers to bypass authorization measures by leveraging bearer token authentication. The system does not perform robust verification against the Authorization header, which can lead to unauthorized access. Specifically, if a valid bearer token is supplied, the system will return a success response (HTTP 200) along with the requested data. Without a valid token, a 401 Unauthorized response is issued. This oversight can potentially expose sensitive information and requires immediate attention from users to bolster security measures.

References

https://access.redhat.com/errata/RHSA-2024:6487
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-8509
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2310406
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Andrew Block (Red Hat).
.