Micronaut FW Unsecured Localhost Management Endpoints Enable Driveby Attacks (fixed in 3.8.3)
CVE-2024-23639 Published on February 9, 2024

micronaut-core management endpoints vulnerable to drive-by localhost attack
Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Github Repository NVD

Vulnerability Analysis

CVE-2024-23639 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Types

External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Improper Control of a Resource Through its Lifetime

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.


Products Associated with CVE-2024-23639

Want to know whenever a new CVE is published for Objectcomputing Micronaut? stack.watch will email you.

Objectcomputing Micronaut
 

Affected Versions

micronaut-projects micronaut-core Version < 3.8.3 is affected by CVE-2024-23639

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-23639

Package Manager Vulnerable Package Versions Fixed In
maven io.micronaut:micronaut-http-server < 3.8.3 3.8.3
maven io.micronaut:micronaut-http-server-netty < 3.8.3 3.8.3
maven io.micronaut:micronaut-http-server-tck < 3.8.3 3.8.3

Exploit Probability

EPSS
0.04%
Percentile
10.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.