Authentication Bypass by Alternate Name

CVE-2024-34519

Medium

6.8/10

Summary

Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its auto-login user has privileges that a dashboard visitor should not have.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-289 - Authentication Bypass by Alternate Name

The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

References

Advisory Timeline

Published May 05, 2024

Authentication Bypass by Alternate Name

CVE-2024-34519

Summary

CWE-289 - Authentication Bypass by Alternate Name

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS