CVE-2024-36108

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-36108
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36108.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36108
Aliases
  • GHSA-mj5q-rc67-h56c
Published
2024-05-31T14:37:05.399Z
Modified
2026-04-02T12:16:43.394106Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Multiple Broken Function-Level Authorization vulnerabilities in casgate
Details

casgate is an Open Source Identity and Access Management system. In affected versions casgate allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use id parameter of GET requests with value anonymous/ anonymous to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36108.json"
}
References

Affected packages

Git / github.com/casgate/casgate

Affected ranges

Type
GIT
Repo
https://github.com/casgate/casgate
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
770ea6b45453462650a7fcd687aad8c5f4919c70
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36108.json"