CVE-2024-36264

Apache Submarine Commons Utils: default secret

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Improper Authentication vulnerability in Apache Submarine Commons Utils.

This issue affects Apache Submarine Commons Utils: from 0.8.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Vulnerabilidad de autenticación incorrecta en Apache Submarine Commons Utils. Este problema afecta a Apache Submarine Commons Utils: desde 0.8.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. Se recomienda a los usuarios que busquen una alternativa o restrinjan el acceso a la instancia a usuarios confiables. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante.

Improper Authentication vulnerability in Apache Submarine Commons Utils.

If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used.

This issue affects Apache Submarine Commons Utils: from 0.8.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

*Credits: Jonathan Leitschuh, L0ne1y

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-22 CVE Reserved
2024-06-12 CVE Published
2024-10-14 CVE Updated
2024-10-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (3)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/06/12/2

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/submarine/pull/1125	2024-06-13

URL	Date	SRC
https://lists.apache.org/thread/7mo0c7vbhpo8thvybl8wwvb0bccrg7r4	2024-06-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Submarine Commons Utils Search vendor "Apache Software Foundation" for product "Apache Submarine Commons Utils"				<= 0.8.0 Search vendor "Apache Software Foundation" for product "Apache Submarine Commons Utils" and version " <= 0.8.0"		en		Affected

* End Of Life in some or all products. Do not expect updates.