Cyber Resilience

CVE-2024-37889

MediumPublic PoC

Published: 14 June 2024

Published
14 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1093 93.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37889 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Treyww Myfinances. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MyFinances is a web application for personal finance management that is affected by an authorization bypass vulnerability tracked as CVE-2024-37889. The flaw, assigned CWE-639, permits an authenticated user to retrieve invoices belonging to other accounts, exposing associated personally identifiable information and financial data. It received a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and low privileges required, with the issue resolved in release 0.4.6.

An authenticated attacker can exploit the weakness by directly referencing invoice identifiers that are not properly scoped to the current user session. Successful exploitation yields read-only access to sensitive records from arbitrary accounts without any user interaction or elevated privileges.

The accompanying GitHub security advisory GHSA-4884-3gvp-3wj2 and the linked commit 2c1e6d5b7ec8b2d6f660b260e3c5f4d3eaaa613f document the fix and recommend upgrading to version 0.4.6. The EPSS score remains flat at 0.1093 with no material increase after disclosure.

EU & UK References

Vulnerability details

MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is…

more

fixed in 0.4.6.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

treyww
myfinances
≤ 0.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References