CVE-2024-45049

Aug. 28, 2024, 12:57 p.m.

7.5
High

Description

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.

Product(s) Impacted

Product Versions
Hydra
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5
https://github.com/NixOS/hydra/security/advisories/GHSA-xv29-v93r-2f5v
https://github.com/NixOS/nixpkgs/pull/337766
https://mastodon.delroth.net/@delroth/113029832631860419

Tags

security-advisories@github.com
CWE-306
2024-08-27
CVE-2024-45049

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Aug. 27, 2024, 9:15 p.m.
Last Modified: Aug. 28, 2024, 12:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.