Authentication Bypass by Primary Weakness

CVE-2024-39899

Medium

5.3/10

Summary

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5.0, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shortened, as long as they contained the PrivateBin instance, defeating the limit imposed by the proxy. This issue affects privatebin/privatebin versions 1.5.0 through 1.7.3.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-305 - Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

References

Advisory Timeline

Published Jul 09, 2024

Authentication Bypass by Primary Weakness

CVE-2024-39899

Summary

CWE-305 - Authentication Bypass by Primary Weakness

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS