CVE-2024-13278
Published: 09 January 2025
Summary
CVE-2024-13278 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Diff Project Diff. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13278 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Diff module that allows Functionality Misuse. It affects all versions of the Diff module from 0.0.0 before 1.8.0. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables functionality misuse, potentially allowing unauthorized access to sensitive data or modifications that compromise the integrity of Drupal sites using the affected Diff module.
The Drupal security advisory SA-CONTRIB-2024-042 at https://www.drupal.org/sa-contrib-2024-042 recommends upgrading to Diff module version 1.8.0 as the primary mitigation. No additional workarounds are specified in available details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51491
Vulnerability details
Incorrect Authorization vulnerability in Drupal Diff allows Functionality Misuse.This issue affects Diff: from 0.0.0 before 1.8.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization in Drupal Diff module enables access bypass for rendering diff reports on restricted revisions of nodes/entities, facilitating unauthorized collection of data from Drupal content repositories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation by upgrading the Drupal Diff module to version 1.8.0, directly eliminating the incorrect authorization vulnerability.
Mandates enforcement mechanisms for approved access authorizations, preventing unauthenticated functionality misuse due to authorization flaws in the Diff module.
Explicitly authorizes specific actions performable without authentication, mitigating risks of unauthorized access and misuse in unauthenticated contexts exploited by this CVE.