CVE-2024-12839

Dec. 31, 2024, 2:15 a.m.

8.8
High

Description

The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An unauthenticated remote attacker who obtains this signature can use it to log into the system with any device.

Product(s) Impacted

Product Versions
CGFIDO

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-294
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

References

https://www.twcert.org.tw/en/cp-139-8335-e4a3f-2.html
https://www.twcert.org.tw/tw/cp-132-8334-8b836-1.html

Tags

twcert@cert.org.tw
CWE-294
2024-12-31
CVE-2024-12839

CVSS Score

8.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 31, 2024, 2:15 a.m.
Last Modified: Dec. 31, 2024, 2:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

twcert@cert.org.tw

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.