CVE-2024-53829
Published: 21 January 2025
Summary
CVE-2024-53829 is a high-severity CSRF (CWE-352) vulnerability in Ericsson Codechecker. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect communications session authenticity, such as CSRF tokens or SameSite cookies, directly preventing unauthenticated attackers from hijacking logged-in user sessions in CodeChecker.
SI-10 mandates validation of information inputs to the web API, rejecting forged requests lacking valid CSRF tokens and blocking unauthorized product modifications.
SI-2 requires timely flaw remediation, such as patching CodeChecker to versions beyond 6.24.4, eliminating the specific CSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing web API directly enables exploitation of the application (T1190) via user interaction with a malicious link/resource (T1204.001) to abuse authenticated sessions.
NVD Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with…
more
the same permissions, including but not limited to adding, removing or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data (view) from CodeChecker, due to being limited to form-based CSRF. This issue affects CodeChecker: through 6.24.4.
Deeper analysisAI
CVE-2024-53829 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, in CodeChecker, an analyzer tooling, defect database, and viewer extension for the Clang Static Analyzer and Clang Tidy. The flaw allows an unauthenticated attacker to hijack the authentication of a logged-in user and perform actions via the web API with the victim's permissions. It affects CodeChecker versions through 6.24.4 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N).
An unauthenticated attacker can exploit this vulnerability by tricking a logged-in user into interacting with a malicious webpage or resource that submits forged requests to the CodeChecker web API. Successful exploitation grants the attacker the same permissions as the victim, enabling actions such as adding, removing, or editing products. However, the attacker must know the IDs of existing products to modify or delete them and cannot directly exfiltrate data (e.g., view reports) due to the form-based nature of the CSRF limitation.
The GitHub security advisory at https://github.com/Ericsson/codechecker/security/advisories/GHSA-f8c8-4pm7-w885 provides details on the issue, including mitigation guidance. Affected users should upgrade to CodeChecker versions beyond 6.24.4, where the vulnerability is addressed.
Details
- CWE(s)