CVE-2024-50967
Published: 17 January 2025
Summary
CVE-2024-50967 is a medium-severity Missing Authorization (CWE-862) vulnerability in Readthedocs (inferred from references). Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits permitted actions without identification or authentication, preventing unauthenticated access to the /rest/rights/ endpoint.
Enforces approved authorizations for logical access, ensuring the API endpoint requires authentication to access sensitive rights information.
Implements least privilege to restrict access to sensitive information only to authorized users, mitigating unauthorized disclosure via the unauthenticated endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network access to public REST API endpoint enables exploitation of public-facing application for sensitive data disclosure.
NVD Description
The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. An attacker can remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information.
Deeper analysisAI
CVE-2024-50967 is an Incorrect Access Control vulnerability (CWE-862) affecting the /rest/rights/ REST API endpoint in Becon DATAGerry through version 2.2.0. This flaw allows remote access to the endpoint without authentication, resulting in the unauthorized disclosure of sensitive information. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, user interaction, and high confidentiality impact.
A remote attacker with no privileges can exploit this vulnerability by directly accessing the /rest/rights/ endpoint over the network. Although user interaction is required per the CVSS vector, the core issue enables unauthenticated retrieval of sensitive data, potentially exposing rights or permissions information that could aid further attacks or reconnaissance.
Mitigation guidance and additional details are provided in official advisories, including the DATAGerry REST API documentation at https://datagerry.readthedocs.io/en/latest/api/rest/user-management.html#rights, a GitHub repository at https://github.com/0xByteHunter/CVE-2024-50967, and a Medium article by the discoverer at https://medium.com/@0xbytehunter/my-first-cve-discovery-of-broken-access-control-in-the-datagerry-platform-7b0404f88a43. Security practitioners should review these resources for patching instructions and workarounds, as DATAGerry versions through 2.2.0 remain vulnerable.
Details
- CWE(s)