CVE-2024-48310
Published: 28 January 2025
Summary
CVE-2024-48310 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2024-48310 affects AutoLib Software Systems OPAC version 20.10, where multiple API keys are exposed within the source code. This vulnerability, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication, privileges, or user interaction.
Remote attackers without any prerequisites can exploit this issue by extracting the exposed API keys from the source code. Successful exploitation allows access to the backend API and other sensitive information, potentially enabling unauthorized data retrieval or further reconnaissance.
Mitigation details are available in the referenced advisories, including the Full Disclosure mailing list posting at https://seclists.org/fulldisclosure/2025/Jan/11. Security practitioners should review these for specific patching instructions or workarounds, as the vulnerability was publicly disclosed on January 28, 2025.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43236
Vulnerability details
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed API keys in source code directly enable discovery and abuse of unsecured credentials for unauthorized API access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely correction of vulnerabilities like exposed API keys in source code, directly preventing unauthorized access to backend APIs.
Vulnerability monitoring and scanning detects exposures of sensitive information such as hardcoded API keys within application source code.
Publicly accessible content controls ensure sensitive information like API keys is not exposed in downloadable or viewable source code of public-facing systems.