Cyber Resilience

CVE-2024-13291

High

Published: 09 January 2025

Published
09 January 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0016 36.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13291 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Basic Http Authentication Project Basic Http Authentication. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13291 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Basic HTTP Authentication module that enables forceful browsing. It affects versions from 7.x-1.0 up to but not including 7.x-1.4. The vulnerability has a CVSS v3.1 base score of 7.3 (High), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network-accessible exploitation with low attack complexity, no privileges or user interaction required, and low impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this issue by bypassing authorization checks, performing forceful browsing to access unauthorized resources. Successful exploitation requires only network access to the affected Drupal site using the vulnerable module, allowing limited disruption or data exposure aligned with the low impact ratings.

The official Drupal Security Advisory (SA-CONTRIB-2024-057) at https://www.drupal.org/sa-contrib-2024-057 provides details on mitigation, including an update to Basic HTTP Authentication version 7.x-1.4 or later to address the authorization flaw. Security practitioners should verify installations and apply the patch promptly.

EU & UK References

Vulnerability details

Incorrect Authorization vulnerability in Drupal Basic HTTP Authentication allows Forceful Browsing.This issue affects Basic HTTP Authentication: from 7.X-1.0 before 7.X-1.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-13291 is an access bypass vulnerability in the Drupal Basic HTTP Authentication module, enabling forceful browsing to restricted paths on a public-facing web application.

CVEs Like This One

CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2026-34453Shared CWE-863
CVE-2025-54253Shared CWE-863
CVE-2026-34646Shared CWE-863
CVE-2025-10611Shared CWE-863

Affected Assets

basic http authentication project
basic http authentication
≤ 7.x-1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to resources, directly preventing forceful browsing exploits due to incorrect authorization in the Drupal module.

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2024-13291 through patching the vulnerable Basic HTTP Authentication module.

prevent

Limits the scope of unauthorized access gained via the authorization bypass by enforcing least privilege on accounts and functions.

References