CVE-2024-48310

High

Published: 28 January 2025

Published

28 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0020 42.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48310 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely correction of vulnerabilities like exposed API keys in source code, directly preventing unauthorized access to backend APIs.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability monitoring and scanning detects exposures of sensitive information such as hardcoded API keys within application source code.

AC-22 Publicly Accessible Content good match

prevent

Publicly accessible content controls ensure sensitive information like API keys is not exposed in downloadable or viewable source code of public-facing systems.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Exposed API keys in source code directly enable discovery and abuse of unsecured credentials for unauthorized API access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.

Deeper analysisAI

CVE-2024-48310 affects AutoLib Software Systems OPAC version 20.10, where multiple API keys are exposed within the source code. This vulnerability, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication, privileges, or user interaction.

Remote attackers without any prerequisites can exploit this issue by extracting the exposed API keys from the source code. Successful exploitation allows access to the backend API and other sensitive information, potentially enabling unauthorized data retrieval or further reconnaissance.

Mitigation details are available in the referenced advisories, including the Full Disclosure mailing list posting at https://seclists.org/fulldisclosure/2025/Jan/11. Security practitioners should review these for specific patching instructions or workarounds, as the vulnerability was publicly disclosed on January 28, 2025.

Details

CWE(s): CWE-200

CVEs Like This One

CVE-2025-24899Shared CWE-200

CVE-2025-62188Shared CWE-200

CVE-2026-25146Shared CWE-200

CVE-2026-2476Shared CWE-200

CVE-2024-56902Shared CWE-200

CVE-2025-55976Shared CWE-200

CVE-2024-48125Shared CWE-200

CVE-2024-50338Shared CWE-200

CVE-2025-55190Shared CWE-200

CVE-2025-68438Shared CWE-200

References

https://seclists.org/fulldisclosure/2025/Jan/11
cve@mitre.org
http://seclists.org/fulldisclosure/2025/Jan/11
af854a3a-2127-422b-91ae-364da2661108