CVE-2024-42169

High

Published: 11 January 2025

Published

11 January 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0034 57.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42169 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires systems to enforce approved authorizations for logical access to information and resources, directly preventing IDOR by ensuring verification of user permissions for specific data objects.

AC-24 Access Control Decisions good match

prevent

AC-24 mandates explicit authorization decisions for access to specific system resources by defined personnel or roles, addressing the core failure in verifying user access rights to targeted data.

AC-25 Reference Monitor good match

prevent

AC-25 employs a reference monitor mechanism to mediate and enforce access control policies for all subject-object interactions, comprehensively blocking unauthorized direct object references.

NVD Description

HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

Deeper analysisAI

CVE-2024-42169 is an insecure direct object reference (IDOR) vulnerability in HCL MyXalytics, stemming from missing access control checks that fail to verify whether a user is authorized to access specific data. Mapped to CWE-639, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its potential for unauthorized data manipulation.

The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high integrity impact (I:H), such as unauthorized modification of data, alongside low confidentiality impact (C:L) through unauthorized access to sensitive information, without affecting availability.

HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 details mitigation steps and patches for addressing the issue in HCL MyXalytics.

Details

CWE(s): CWE-639

Affected Products

hcltech

dryice myxalytics

6.3

CVEs Like This One

CVE-2024-42168Same product: Hcltech Dryice Myxalytics

CVE-2024-42180Same product: Hcltech Dryice Myxalytics

CVE-2024-42181Same product: Hcltech Dryice Myxalytics

CVE-2024-42175Same product: Hcltech Dryice Myxalytics

CVE-2024-42172Same product: Hcltech Dryice Myxalytics

CVE-2024-42176Same product: Hcltech Dryice Myxalytics

CVE-2024-30150Same vendor: Hcltech

CVE-2026-21765Same vendor: Hcltech

CVE-2025-55265Same vendor: Hcltech

CVE-2024-42210Same vendor: Hcltech

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149
Vendor Advisory · psirt@hcl.com