PYSEC-2024-27

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/crate/PYSEC-2024-27.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-27
Aliases
Published
2024-01-30T01:15:00Z
Modified
2024-02-06T20:41:45.559656Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231)

References

Affected packages

PyPI / crate

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.10
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.4.0
0.5.0
0.6.0
0.7.0
0.7.1
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.14.0
0.14.1
0.14.2
0.15.0
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.17.0
0.18.0
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0
0.20.1
0.21.0
0.21.1
0.21.2
0.21.3
0.22.0
0.22.1
0.23.0
0.23.1
0.23.2
0.24.0
0.25.0
0.26.0
0.27.0
0.27.1
0.27.2
0.28.0
0.29.0
0.30.0
0.30.1
0.31.0
0.31.1
0.32.0
0.33.0
0.34.0
0.35.0
0.35.1
0.35.2