CVE-2024-42169
Published: 11 January 2025
Summary
CVE-2024-42169 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Deeper analysis
CVE-2024-42169 is an insecure direct object reference (IDOR) vulnerability in HCL MyXalytics, stemming from missing access control checks that fail to verify whether a user is authorized to access specific data. Mapped to CWE-639, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its potential for unauthorized data manipulation.
The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high integrity impact (I:H), such as unauthorized modification of data, alongside low confidentiality impact (C:L) through unauthorized access to sensitive information, without affecting availability.
HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 details mitigation steps and patches for addressing the issue in HCL MyXalytics.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39995
Vulnerability details
HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in a network-accessible web application directly enables exploitation of public-facing apps (T1190) and unauthorized stored data modification (T1565.001) by low-privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires systems to enforce approved authorizations for logical access to information and resources, directly preventing IDOR by ensuring verification of user permissions for specific data objects.
AC-24 mandates explicit authorization decisions for access to specific system resources by defined personnel or roles, addressing the core failure in verifying user access rights to targeted data.
AC-25 employs a reference monitor mechanism to mediate and enforce access control policies for all subject-object interactions, comprehensively blocking unauthorized direct object references.