Cyber Resilience

CVE-2024-42169

High

Published: 11 January 2025

Published
11 January 2025
Modified
16 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0047 65.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42169 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).

Deeper analysis

CVE-2024-42169 is an insecure direct object reference (IDOR) vulnerability in HCL MyXalytics, stemming from missing access control checks that fail to verify whether a user is authorized to access specific data. Mapped to CWE-639, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its potential for unauthorized data manipulation.

The vulnerability can be exploited by low-privileged authenticated users (PR:L) over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high integrity impact (I:H), such as unauthorized modification of data, alongside low confidentiality impact (C:L) through unauthorized access to sensitive information, without affecting availability.

HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 details mitigation steps and patches for addressing the issue in HCL MyXalytics.

EU & UK References

Vulnerability details

HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

IDOR in a network-accessible web application directly enables exploitation of public-facing apps (T1190) and unauthorized stored data modification (T1565.001) by low-privileged users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-42175Same product: Hcltech Dryice Myxalytics
CVE-2024-42172Same product: Hcltech Dryice Myxalytics
CVE-2024-42168Same product: Hcltech Dryice Myxalytics
CVE-2024-42181Same product: Hcltech Dryice Myxalytics
CVE-2024-42180Same product: Hcltech Dryice Myxalytics
CVE-2024-42176Same product: Hcltech Dryice Myxalytics
CVE-2026-25564Shared CWE-639
CVE-2025-55271Same vendor: Hcltech
CVE-2026-26078Shared CWE-639
CVE-2025-55262Same vendor: Hcltech

Affected Assets

hcltech
dryice myxalytics
6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for logical access to information and resources, directly preventing IDOR by ensuring verification of user permissions for specific data objects.

prevent

AC-24 mandates explicit authorization decisions for access to specific system resources by defined personnel or roles, addressing the core failure in verifying user access rights to targeted data.

prevent

AC-25 employs a reference monitor mechanism to mediate and enforce access control policies for all subject-object interactions, comprehensively blocking unauthorized direct object references.

References