Base Score

CRITICAL9.1

CVE-2024-23687

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

VectorNETWORK

Published Bydisclosure@vulncheck.com

Published DateJan 19, 2024, 22:15

Affected Versions(2)

org.folio:mod-data-export-spring(Maven)

Introduced0

Fixed1.5.4

LimitN/A

org.folio:mod-data-export-spring(Maven)

Introduced2.0.0

Fixed3.0.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.folio:mod-data-export-spring(Maven)	0	1.5.4	N/A
org.folio:mod-data-export-spring(Maven)	2.0.0	3.0.0	N/A

Weakness Type (CWE):CWE-798

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

CRITICAL9.1

Weakness Type (CWE):CWE-798

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE