CVE-2024-34520
Published: 12 February 2025
Summary
CVE-2024-34520 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-34520 is an authorization bypass vulnerability (CWE-639) in the Mavenir SCE Application Provisioning Portal, specifically version PORTAL-LBS-R_1_0_24_0. It enables an authenticated guest user to circumvent client-side access controls and execute unauthorized administrative functions, such as the "add user" feature. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An attacker with guest-level authentication can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By bypassing client-side restrictions, the attacker gains the ability to perform administrative actions beyond their privileges, potentially leading to full compromise of the portal's user management and other sensitive operations.
Advisories and further details are available in the referenced GitHub repository at https://github.com/whitewhale-dmb/Vulnerability-Research/tree/main/CVE-2024-34520, which contains vulnerability research materials. No specific patch or mitigation guidance is detailed in the provided CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4915
Vulnerability details
An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing provisioning portal directly enables remote exploitation (T1190) and unauthorized privilege escalation to admin functions (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces server-side approved authorizations for logical access, directly preventing guest users from bypassing client-side controls to perform unauthorized administrative actions.
Implements least privilege to restrict guest accounts from accessing administrative functions like 'add user', limiting the scope of authorization bypass exploits.
Deploys a reference monitor as a tamper-resistant mechanism to mediate and enforce all access control decisions, countering client-side authorization bypass vulnerabilities.