Cyber Resilience

CVE-2024-10081

Critical

Published: 06 November 2024

Published
06 November 2024
Modified
14 November 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.7391 98.8th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10081 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ericsson Codechecker. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CodeChecker, an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy, is affected by an authentication bypass vulnerability in all versions through 6.24.1. The flaw occurs when an API URL ends with the string Authentication, allowing access to every other API endpoint without credentials. This grants superuser privileges over functions such as adding, editing, or removing products.

An unauthenticated remote attacker can exploit the bypass simply by crafting requests to the affected API paths. Successful exploitation yields full control over the product-management and related endpoints, enabling arbitrary modification or deletion of analysis data and configuration.

The referenced GitHub Security Advisory GHSA-f3f8-vx3w-hp5q describes the issue and confirms that the vulnerability is resolved in CodeChecker 6.24.2. The advisory recommends upgrading to the patched release to eliminate the bypass.

The associated EPSS score stands at 0.7391 with no material increase after disclosure.

EU & UK References

Vulnerability details

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication.…

more

These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ericsson
codechecker
≤ 6.24.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-288 CWE-420

Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.

addresses: CWE-288

Users can identify logons via alternate paths or channels by reviewing the previous logon time.

addresses: CWE-288

Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.

addresses: CWE-288

Centralized IdPs close alternate authentication paths that enable bypass.

addresses: CWE-288

Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.

addresses: CWE-420

TSCM surveys detect and neutralize unprotected alternate channels introduced by surveillance equipment or modifications.

addresses: CWE-288

Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.

addresses: CWE-420

Removes or disables unprotected alternate I/O channels that could otherwise be used to bypass primary controls.

References