CVE-2024-45404

Dec. 12, 2024, 5:15 p.m.

8.1
High

Description

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.

Product(s) Impacted

Product Versions
OpenCTI
  • ['< 6.2.18']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7

Tags

security-advisories@github.com
CWE-287
2024-12-12
CVE-2024-45404

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Dec. 12, 2024, 2:02 a.m.
Last Modified: Dec. 12, 2024, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.