CVE-2024-6299

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://conduit.rs/changelog/#v0-8-0-2024-06-12	Release Notes
https://gitlab.com/famedly/conduit/-/releases/v0.8.0	Release Notes
https://conduit.rs/changelog/#v0-8-0-2024-06-12	Release Notes
https://gitlab.com/famedly/conduit/-/releases/v0.8.0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-06-25 13:15

Updated : 2024-11-21 09:49

NVD link : CVE-2024-6299

Mitre link : CVE-2024-6299

CVE.ORG link : CVE-2024-6299

JSON object : View

Products Affected

conduit

conduit

CWE

CWE-324

Use of a Key Past its Expiration Date

NVD-CWE-Other

{"id": "CVE-2024-6299", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2024-06-25T13:15:50.587", "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "tags": ["Release Notes"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "tags": ["Release Notes"], "source": "cve@gitlab.com"}, {"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-324"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date"}, {"lang": "es", "value": "Falta de consideraci\u00f3n de la caducidad de la clave al validar firmas en Conduit, lo que permite a un atacante que ha comprometido una clave caducada falsificar solicitudes como servidor remoto, as\u00ed como PDU con marcas de tiempo posteriores a la fecha de caducidad."}], "lastModified": "2024-11-21T09:49:23.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A42037C-F568-4862-BEE1-FCE796E55CD1", "versionEndExcluding": "0.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}