CVE-2024-13291
Published: 09 January 2025
Summary
CVE-2024-13291 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Basic Http Authentication Project Basic Http Authentication. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13291 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Basic HTTP Authentication module that enables forceful browsing. It affects versions from 7.x-1.0 up to but not including 7.x-1.4. The vulnerability has a CVSS v3.1 base score of 7.3 (High), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network-accessible exploitation with low attack complexity, no privileges or user interaction required, and low impacts across confidentiality, integrity, and availability.
Remote, unauthenticated attackers can exploit this issue by bypassing authorization checks, performing forceful browsing to access unauthorized resources. Successful exploitation requires only network access to the affected Drupal site using the vulnerable module, allowing limited disruption or data exposure aligned with the low impact ratings.
The official Drupal Security Advisory (SA-CONTRIB-2024-057) at https://www.drupal.org/sa-contrib-2024-057 provides details on mitigation, including an update to Basic HTTP Authentication version 7.x-1.4 or later to address the authorization flaw. Security practitioners should verify installations and apply the patch promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51504
Vulnerability details
Incorrect Authorization vulnerability in Drupal Basic HTTP Authentication allows Forceful Browsing.This issue affects Basic HTTP Authentication: from 7.X-1.0 before 7.X-1.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-13291 is an access bypass vulnerability in the Drupal Basic HTTP Authentication module, enabling forceful browsing to restricted paths on a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to resources, directly preventing forceful browsing exploits due to incorrect authorization in the Drupal module.
Requires timely identification, reporting, and correction of flaws like CVE-2024-13291 through patching the vulnerable Basic HTTP Authentication module.
Limits the scope of unauthorized access gained via the authorization bypass by enforcing least privilege on accounts and functions.