CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1300 – Open redirect in CodeChecker web server
https://notcve.org/view.php?id=CVE-2025-1300
28 Feb 2025 — CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. The CodeChecker web server contains an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL. This results in bypassing the protections against CVE-2021-28861, leading to the same open redirect pathway. This issue affects CodeChecker: through 6.24.5. • https://github.com/Ericsson/codechecker/security/advisories/GHSA-g839-x3p3-g5fm • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53829 – Cross-Site Request Forgery in CodeChecker API
https://notcve.org/view.php?id=CVE-2024-53829
21 Jan 2025 — CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions, including but not limited to adding, removing or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data (view) from CodeChecker, due to bein... • https://github.com/Ericsson/codechecker/security/advisories/GHSA-f8c8-4pm7-w885 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10082
https://notcve.org/view.php?id=CVE-2024-10082
06 Nov 2024 — CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication method confusion allows logging in as the built-in root user from an external service. The built-in root user up until 6.24.1 is generated in a weak manner, cannot be disabled, and has universal access.This vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything tha... • https://github.com/Ericsson/codechecker/security/advisories/GHSA-fpm5-2wcj-vfr7 • CWE-305: Authentication Bypass by Primary Weakness CWE-330: Use of Insufficiently Random Values CWE-842: Placement of User into Incorrect Group •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10081
https://notcve.org/view.php?id=CVE-2024-10081
06 Nov 2024 — CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. • https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-420: Unprotected Alternate Channel •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49793 – Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
https://notcve.org/view.php?id=CVE-2023-49793
24 Jun 2024 — CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same p... • https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-44217
https://notcve.org/view.php?id=CVE-2021-44217
18 Jan 2022 — In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. En Ericsson CodeChecker versiones hasta 6.18.0, una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en el componente comments del visor de informes permite a atacantes remotos inyectar script web o HTML arbitrario por medio de los datos POST J... • https://github.com/Hyperkopite/CVE-2021-44217 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •