CVE-2024-42168

High

Published: 11 January 2025

Published

11 January 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0028 51.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42168 is a high-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs such as URLs or references to external resources, preventing the application from fetching and processing attacker-controlled malicious content.

AC-4 Information Flow Enforcement good match

prevent

Enforces flow control policies to block unauthorized outbound information flows to external attacker-controlled servers.

SC-7 Boundary Protection good match

preventdetect

Monitors and controls external communications at system boundaries, restricting HTTP requests to untrusted external resources.

NVD Description

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.

Deeper analysisAI

CVE-2024-42168 is an out-of-band resource load vulnerability involving HTTP requests in HCL MyXalytics. The issue allows an attacker to deploy a web server that returns malicious content and then induce the application to retrieve and process that content. It carries a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and maps to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-918 (Server-Side Request Forgery).

An unauthenticated attacker accessible over the network can exploit this vulnerability, though it requires high attack complexity and no user interaction. By tricking the application into fetching and processing content from the attacker's controlled server, the attacker can achieve high impacts on confidentiality and integrity, with a low impact on availability, due to the cross-scope execution.

The HCL Software support knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 provides details on advisories and mitigation steps for this vulnerability.

Details

CWE(s): CWE-610 CWE-918

Affected Products

hcltech

dryice myxalytics

6.3

CVEs Like This One

CVE-2024-42176Same product: Hcltech Dryice Myxalytics

CVE-2024-42180Same product: Hcltech Dryice Myxalytics

CVE-2024-42175Same product: Hcltech Dryice Myxalytics

CVE-2024-42172Same product: Hcltech Dryice Myxalytics

CVE-2024-42169Same product: Hcltech Dryice Myxalytics

CVE-2024-42181Same product: Hcltech Dryice Myxalytics

CVE-2024-30150Same vendor: Hcltech

CVE-2025-52631Same vendor: Hcltech

CVE-2025-52626Same vendor: Hcltech

CVE-2025-55270Same vendor: Hcltech

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149
Vendor Advisory · psirt@hcl.com