Cyber Resilience

CVE-2024-12564

Medium

Published: 12 December 2024

Published
12 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 44.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12564 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Opendesign (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand…

more

more things about the target application which may help in further investigation and exploitation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Opendesign
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Places configuration items under formal management, enforcing correct permission assignments on critical resources.

addresses: CWE-276 CWE-732

Access control policy can specify and enforce secure default permissions for resources.

addresses: CWE-200 CWE-732

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-276 CWE-732

Guides setting of default permissions to the minimum required level.

addresses: CWE-732 CWE-200

Audit logs and logging tools are critical resources whose protection requires correct permission assignments to block unauthorized actions.

addresses: CWE-732 CWE-276

Procedures specify correct permission assignments for critical configuration files and resources as part of baseline and change management.

addresses: CWE-200 CWE-732

Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.

addresses: CWE-276 CWE-732

Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.

References