Auth Bypass in Forklift Controller: Missing Bearer Token Verification
CVE-2024-8509 Published on September 6, 2024
Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication
A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.
Vulnerability Analysis
CVE-2024-8509 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-8509 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-8509
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-8509 are published in Red Hat Migration Toolkit Virtualization:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.